Certain ActiveX controls in (1) tsgetxu71ex552.dll and (2) tsgetx71ex552.dll in Tom Sawyer GET Extension Factory 5.5.2.237, as used in VI Client (aka VMware Infrastructure Client) 2.0.2 before Build 230598 and 2.5 before Build 204931 in VMware Infrastructure 3, do not properly handle attempted initialization within Internet Explorer, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HTML document.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities :

  - A flaw exists in the Linux Kernel in the     do_anonymous_page() function due to improper separation     of the stack and the heap. An attacker can exploit this     to execute arbitrary code. (CVE-2010-2240)

  - A packet filter bypass exists in the Linux Kernel e1000     driver due to processing trailing payload data as a     complete frame. A remote attacker can exploit this to     bypass packet filters via a large packet with a crafted     payload. (CVE-2009-4536)

  - A use-after-free error exists in the Linux Kernel when     IPV6_RECVPKTINFO is set on a listening socket. A remote     attacker can exploit this, via a SYN packet while the     socket is in a listening (TCP_LISTEN) state, to cause a     kernel panic, resulting in a denial of service     condition. (CVE-2010-1188)

  - An array index error exists in the Linux Kernel in the     gdth_read_event() function. A local attacker can exploit     this, via a negative event index in an IOCTL request, to     cause a denial of service condition. (CVE-2009-3080)

  - A race condition exists in the VMware Host Guest File     System (HGFS) that allows guest operating system users     to gain privileges by mounting a filesystem on top of an     arbitrary directory. (CVE-2011-1787)

  - A flaw exists in the VMware Host Guest File System     (HGFS) that allows a Solaris or FreeBSD guest operating     system user to modify arbitrary guest operating system     files. (CVE-2011-2145)

  - A flaw exists in the VMware Host Guest File System     (HGFS) that allows guest operating system users to     disclose host operating system files and directories.
    (CVE-2011-2146)

  - A flaw exists in the bundled Tom Sawyer GET Extension     Factory that allows a remote attacker to cause a denial     of service condition or the execution of arbitrary code     via a crafted HTML document. (CVE-2011-2217)

Tom Sawyer Software's GET Extension Factory, a component used for graph visualization applications, is installed on the remote Windows host.  It may have been bundled with a third-party application, such as the VMware Infrastructure Client or Embarcadero ER / Studio XE2.

The installed version of this component has a vulnerability in that it does not initialize COM objects properly inside Internet Explorer, which leads to a memory corruption vulnerability.

If an attacker can trick a user on the affected host into visiting a specially crafted web page, this issue could be leveraged to execute arbitrary code on the host subject to the user's privileges.

a. VMware vmkernel third-party e1000(e) Driver Packet Filter Bypass

    There is an issue in the e1000(e) Linux driver for Intel PRO/1000     adapters that allows a remote attacker to bypass packet filters.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)     has assigned the name CVE-2009-4536 to this issue.

b. ESX third-party update for Service Console kernel

    This update for the console OS kernel package resolves four     security issues.

    1) IPv4 Remote Denial of Service

        An remote attacker can achieve a denial of service via an         issue in the kernel IPv4 code.

        The Common Vulnerabilities and Exposures project            (cve.mitre.org) has assigned the name CVE-2010-1188 to            this issue.

    2) SCSI Driver Denial of Service / Possible Privilege Escalation

        A local attacker can achieve a denial of service and         possibly a privilege escalation via a vulnerability in         the Linux SCSI drivers.

        The Common Vulnerabilities and Exposures project         (cve.mitre.org) has assigned the name CVE-2009-3080 to         this issue.

    3) Kernel Memory Management Arbitrary Code Execution

        A context-dependent attacker can execute arbitrary code         via a vulnerability in a kernel memory handling function.

        The Common Vulnerabilities and Exposures project         (cve.mitre.org) has assigned the name CVE-2010-2240 to         this issue.

    4) e1000 Driver Packet Filter Bypass

        There is an issue in the Service Console e1000 Linux         driver for Intel PRO/1000 adapters that allows a remote         attacker to bypass packet filters.

        The Common Vulnerabilities and Exposures project         (cve.mitre.org) has assigned the name CVE-2009-4536 to         this issue.

c. Multiple vulnerabilities in mount.vmhgfs

    This patch provides a fix for the following three security     issues in the VMware Host Guest File System (HGFS). None of     these issues affect Windows based Guest Operating Systems.

    1) Mount.vmhgfs Information Disclosure

        Information disclosure via a vulnerability that allows an         attacker with access to the Guest to determine if a path         exists in the Host filesystem and whether it is a file or         directory regardless of permissions.

        The Common Vulnerabilities and Exposures project         (cve.mitre.org) has assigned the name CVE-2011-2146 to         this issue.

    2) Mount.vmhgfs Race Condition

        Privilege escalation via a race condition that allows an         attacker with access to the guest to mount on arbitrary         directories in the Guest filesystem and achieve privilege         escalation if they can control the contents of the         mounted directory.

        The Common Vulnerabilities and Exposures project         (cve.mitre.org) has assigned the name CVE-2011-1787 to         this issue.

    3) Mount.vmhgfs Privilege Escalation

        Privilege escalation via a procedural error that allows         an attacker with access to the guest operating system to         gain write access to an arbitrary file in the Guest         filesystem.  This issue only affects Solaris and FreeBSD         Guest Operating Systems.

        The Common Vulnerabilities and Exposures project         (cve.mitre.org) has assigned the name CVE-2011-2145 to         this issue.

    VMware would like to thank Dan Rosenberg for reporting these     issues.

d. VI Client ActiveX vulnerabilities

    VI Client COM objects can be instantiated in Internet Explorer     which may cause memory corruption. An attacker who succeeded in     making the VI Client user visit a malicious Web site could     execute code on the user's system within the security context of     that user.

    VMware would like to thank Elazar Broad and iDefense for     reporting this issue to us.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)     has assigned the name CVE-2011-2217 to this issue.

    Affected versions.

    The vSphere Client which comes with vSphere 4.0 and vSphere 4.1     is not affected. This is any build of vSphere Client Version     4.0.0 and vSphere Client Version 4.1.0.

    VI Clients bundled with VMware Infrastructure 3 that are not     affected are :
    - VI Client 2.0.2 Build 230598 and higher
    - VI Client 2.5 Build 204931 and higher

    The issue can be remediated by replacing an affected VI Client     with the VI Client bundled with VirtualCenter 2.5 Update 6 or     VirtualCenter 2.5 Update 6a.

ID	Name	Product	Family	Severity
89678	VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2011-0009) (remote check)	Nessus	Misc.	high
54990	Tom Sawyer Software GET Extension Factory COM Object Instantiation Memory Corruption	Nessus	Windows	high
54968	VMSA-2011-0009 : VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues	Nessus	VMware ESX Local Security Checks	high

Detections

Analytics

CVE-2011-2217

high

Tenable Plugins

high

high

high