VMware Studio 2.1 addresses security vulnerabilities in virtual appliances created with Studio 2.0.

a. VMware Studio 2.0 remote command execution by Studio user VMware Studio is a development tool to create and manage virtual appliances. VMware Studio itself is a virtual appliance. A vulnerability in the Virtual Appliance Management Infrastructure (VAMI) allows for remote command execution in Studio 2.0 or in virtual appliances created with Studio 2.0. Exploitation of the issue requires authentication to Studio or to the virtual appliance. Studio 2.0 ---------- The vulnerability may be exploited on Studio if both of these conditions apply: - you have Studio 2.0 and - you have created a user account with limited privileges (this is not the default configuration). Studio is by default shipped with the root user account and no other user accounts. For this reason, exploitation of the vulnerability would not yield any gain for an attacker since the attacker would need to know the credentials of the root user account in order to launch an attack. If an attacker knows the credentials of the root user, the attacker will have other avenues to compromise Studio. In case another user account with limited privileges has been added to Studio, the exploitation of the issue may lead to remote command execution by the attacker. The attacker would still need to know the credentials of the additional user account in order to launch an attack. Virtual appliances created with Studio 2.0 ------------------------------------------ The vulnerability may be exploited on a virtual appliance if both of these conditions apply: - the virtual appliance was created with Studio 2.0 and - the virtual appliance has a user account with limited privileges. The following command will show which version of Studio was used to create the virtual appliance: “vamicli version --studio” If the issue can be exploited, the following will remove this possibility: - disable user accounts that have limited privileges or - disable the vami-sfcbd daemon (note: this will prevent the use of VAMI features such as using the web interface to set the network configuration) or - recreate the virtual appliance using Studio 2.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2667 to this issue. VMware would like to thank Claudio Criscione of Secure Network for reporting this issue to us. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.