Lucene search

HistorySep 18, 2019 - 12:00 a.m.

VMSA-2019-0013 : Command injection and information disclosure vulnerabilities

2019-09-1800:00:00

www.tenable.com

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.9%

JSON

a. VMware ESXi busybox command injection vulnerability

ESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell.

An attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file.

b. ESXi Host Client information disclosure vulnerability

An information disclosure vulnerability in clients arising from insufficient session expiration.

An attacker with physical access or an ability to mimic a websocket connection to a users browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from VMware Security Advisory 2019-0013. 
# The text itself is copyright (C) VMware Inc.
#

include('compat.inc');

if (description)
{
  script_id(128994);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/24");

  script_cve_id("CVE-2017-16544", "CVE-2019-5531");
  script_xref(name:"VMSA", value:"2019-0013");
  script_xref(name:"IAVA", value:"2019-A-0344");

  script_name(english:"VMSA-2019-0013 : Command injection and information disclosure vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote VMware ESXi host is missing one or more security-related
patches.");
  script_set_attribute(attribute:"description", value:
"a. VMware ESXi busybox command injection vulnerability

ESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell.

An attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file. 

b. ESXi Host Client information disclosure vulnerability

An information disclosure vulnerability in clients arising from insufficient session expiration.

An attacker with physical access or an ability to mimic a websocket connection to a users browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out.");
  script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2019/000467.html");
  script_set_attribute(attribute:"solution", value:
"Apply the missing patches.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-16544");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/09/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.7");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"VMware ESX Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
  script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");

  exit(0);
}


include("audit.inc");
include("vmware_esx_packages.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
if (
  !get_kb_item("Host/VMware/esxcli_software_vibs") &&
  !get_kb_item("Host/VMware/esxupdate")
) audit(AUDIT_PACKAGE_LIST_MISSING);


init_esx_check(date:"2019-09-16");
flag = 0;


if (esx_check(ver:"ESXi 6.0", vib:"VMware:esx-base:6.0.0-3.125.14475122")) flag++;
if (esx_check(ver:"ESXi 6.0", vib:"VMware:esx-ui:1.30.0-9063842")) flag++;
if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsan:6.0.0-3.125.14292904")) flag++;
if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsanhealth:6.0.0-3000000.3.0.3.125.14292905")) flag++;

if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-base:6.5.0-3.96.13932383")) flag++;
if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-tboot:6.5.0-3.96.13932383")) flag++;
if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-ui:1.31.0-10201673")) flag++;
if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsan:6.5.0-3.96.13371499")) flag++;
if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsanhealth:6.5.0-3.96.13530496")) flag++;

if (esx_check(ver:"ESXi 6.7", vib:"VMware:esx-base:6.7.0-0.28.10176879")) flag++;
if (esx_check(ver:"ESXi 6.7", vib:"VMware:esx-base:6.7.0-1.44.12986307")) flag++;
if (esx_check(ver:"ESXi 6.7", vib:"VMware:esx-update:6.7.0-1.44.12986307")) flag++;
if (esx_check(ver:"ESXi 6.7", vib:"VMware:vsan:6.7.0-0.28.10176879")) flag++;
if (esx_check(ver:"ESXi 6.7", vib:"VMware:vsan:6.7.0-1.44.11399678")) flag++;
if (esx_check(ver:"ESXi 6.7", vib:"VMware:vsanhealth:6.7.0-0.28.10176879")) flag++;
if (esx_check(ver:"ESXi 6.7", vib:"VMware:vsanhealth:6.7.0-1.44.11399680")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:esx_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

VendorProductVersionCPE
vmwareesxi6.0cpe:/o:vmware:esxi:6.0
vmwareesxi6.5cpe:/o:vmware:esxi:6.5
vmwareesxi6.7cpe:/o:vmware:esxi:6.7

Vendor	Product	Version	CPE
vmware	esxi	6.0	cpe:/o:vmware:esxi:6.0
vmware	esxi	6.5	cpe:/o:vmware:esxi:6.5
vmware	esxi	6.7	cpe:/o:vmware:esxi:6.7

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16544

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5531

lists.vmware.com/pipermail/security-announce/2019/000467.html

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.9%

JSON

Related for VMWARE_VMSA-2019-0013.NASL