VMware vCenter Server 4.0 before Update 4b, 5.0 before Update 2, and 5.1 before 5.1.0b; VMware ESXi 3.5 through 5.1; and VMware ESX 3.5 through 4.1 do not properly implement the Network File Copy (NFC) protocol, which allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption) by modifying the client-server data stream.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several components and third-party libraries :

  - Java Runtime Environment (JRE)
  - Network File Copy (NFC) Protocol
  - OpenSSL

The remote VMware ESXi 5.1 host is affected by the following security vulnerabilities :

  - An input validation error exists in the function     'png_set_text_2' in the libpng library that could     allow memory corruption and arbitrary code execution.
    (CVE-2011-3048)

  - A privilege escalation vulnerability exists in the     Virtual Machine Communication Interface (VMCI). A local     attacker can exploit this, via control code, to change     allocated memory, resulting in the escalation of     privileges. (CVE-2013-1406)

  - An error exists related to Network File Copy (NFC)     handling that could allow denial of service attacks or     arbitrary code execution. (CVE-2013-1659)

The remote VMware ESXi 5.0 host is affected by Multiple Vulnerabilities :

  - An integer overflow condition exists in the
    __tzfile_read() function in the glibc library. An     unauthenticated, remote attacker can exploit this, via     a crafted timezone (TZ) file, to cause a denial of     service or the execution of arbitrary code.
    (CVE-2009-5029)

  - ldd in the glibc library is affected by a privilege     escalation vulnerability due to the omission of certain     LD_TRACE_LOADED_OBJECTS checks in a crafted executable     file. Note that this vulnerability is disputed by the     library vendor. (CVE-2009-5064)

  - A remote code execution vulnerability exists in the     glibc library due to an integer signedness error in the     elf_get_dynamic_info() function when the '--verify'     option is used. A remote attacker can exploit this by     using a crafted ELF program with a negative value for a     certain d_tag structure member in the ELF header.
    (CVE-2010-0830)

  - A flaw exists in OpenSSL due to a failure to properly     prevent modification of the ciphersuite in the session     cache when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is     enabled. A remote attacker can exploit this to force a     downgrade to an unintended cipher by intercepting the     network traffic to discover a session identifier.
    (CVE-2010-4180)

  - A flaw exists in OpenSSL due to a failure to properly     validate the public parameters in the J-PAKE protocol     when J-PAKE is enabled. A remote attacker can exploit     this, by sending crafted values in each round of the     protocol, to bypass the need for knowledge of the shared     secret. (CVE-2010-4252)

  - A out-of-bounds memory error exists in OpenSSL that     allows a remote attacker to cause a denial of service or     possibly obtain sensitive information by using a     malformed ClientHello handshake message. This is also     known as the 'OCSP stapling vulnerability'.
    (CVE-2011-0014)

  - A flaw exists in the addmntent() function in the glibc     library due to a failure to report the error status for     failed attempts to write to the /etc/mtab file. A local     attacker can exploit this to corrupt the file by using     writes from a process with a small RLIMIT_FSIZE value.
    (CVE-2011-1089)

  - A flaw exists in the png_set_text_2() function in the     file pngset.c in the libpng library due to a failure to     properly allocate memory. An unauthenticated, remote     attacker can exploit this, via a crafted text chunk in a     PNG image file, to trigger a heap-based buffer overflow,     resulting in denial of service or the execution of     arbitrary code. (CVE-2011-3048)

  - A flaw exists in the DTLS implementation in OpenSSL due     to performing a MAC check only if certain padding is     valid. A remote attacker can exploit this, via a padding     oracle attack, to recover the plaintext. (CVE-2011-4108)

  - A double-free error exists in OpenSSL when the     X509_V_FLAG_POLICY_CHECK is enabled. A remote attacker     can exploit this by triggering a policy check failure,     resulting in an unspecified impact. (CVE-2011-4109)

  - A flaw exists in OpenSSL in the SSL 3.0 implementation     due to improper initialization of data structures used     for block cipher padding. A remote attacker can exploit     this, by decrypting the padding data sent by an SSL     peer, to obtain sensitive information. (CVE-2011-4576)

  - A denial of service vulnerability exists in OpenSSL when     RFC 3779 support is enabled. A remote attacker can     exploit this to cause an assertion failure, by using an     X.509 certificate containing certificate extension data     associated with IP address blocks or Autonomous System     (AS) identifiers. (CVE-2011-4577)

  - A denial of service vulnerability exists in the RPC     implementation in the glibc library due to a flaw in the     svc_run() function. A remote attacker can exploit this,     via large number of RPC connections, to exhaust CPU     resources. (CVE-2011-4609)

  - A denial of service vulnerability exists in the Server     Gated Cryptography (SGC) implementation in OpenSSL due     to a failure to properly handle handshake restarts. A     remote attacker can exploit this, via unspecified     vectors, to exhaust CPU resources. (CVE-2011-4619)

  - A denial of service vulnerability exists in OpenSSL due     to improper support of DTLS applications. A remote     attacker can exploit this, via unspecified vectors     related to an out-of-bounds read error. Note that this     vulnerability exists because of an incorrect fix for     CVE-2011-4108. (CVE-2012-0050)

  - A security bypass vulnerability exists in the glibc     library due to an integer overflow condition in the     vfprintf() function in file stdio-common/vfprintf.c. An     attacker can exploit this, by using a large number of     arguments, to bypass the FORTIFY_SOURCE protection     mechanism, allowing format string attacks or writing to     arbitrary memory. (CVE-2012-0864)

  - A denial of service vulnerability exists in the glibc     library in the vfprintf() function in file     stdio-common/vfprintf.c due to a failure to properly     calculate a buffer length. An attacker can exploit this,     via a format string that uses positional parameters and     many format specifiers, to bypass the FORTIFY_SOURCE     format-string protection mechanism, thus causing stack     corruption and a crash. (CVE-2012-3404)

  - A denial of service vulnerability exists in the glibc     library in the vfprintf() function in file     stdio-common/vfprintf.c due to a failure to properly     calculate a buffer length. An attacker can exploit this,     via a format string with a large number of format     specifiers, to bypass the FORTIFY_SOURCE format-string     protection mechanism, thus triggering desynchronization     within the buffer size handling, resulting in a     segmentation fault and crash. (CVE-2012-3405)

  - A flaw exists in the glibc library in the vfprintf()     function in file stdio-common/vfprintf.c due to a     failure to properly restrict the use of the alloca()     function when allocating the SPECS array. An attacker     can exploit this, via a crafted format string using     positional parameters and a large number of format     specifiers, to bypass the FORTIFY_SOURCE format-string     protection mechanism, thus triggering a denial of     service or the possible execution of arbitrary code.
    (CVE-2012-3406)

  - A flaw exists in the glibc library due to multiple     integer overflow conditions in the strtod(), strtof(),     strtold(), strtod_l(), and other unspecified related     functions. A local attacker can exploit these to trigger     a stack-based buffer overflow, resulting in an     application crash or the possible execution of arbitrary     code. (CVE-2012-3480)

  - A privilege escalation vulnerability exists in the     Virtual Machine Communication Interface (VMCI) due to a     failure by control code to properly restrict memory     allocation. A local attacker can exploit this, via     unspecified vectors, to gain privileges. (CVE-2013-1406)

  - An error exists in the implementation of the Network     File Copy (NFC) protocol. A man-in-the-middle attacker     can exploit this, by modifying the client-server data     stream, to cause a denial of service or the execution     of arbitrary code. (CVE-2013-1659)

The version of VMware vCenter installed on the remote host is 4.0 before update 4b, 5.0 before update 2, or 5.1 before 5.1.0b.  Such versions are potentially affected by a denial of service vulnerability due to an issue in webservice logging.  By exploiting this flaw, a remote, unauthenticated attacker could crash the affected host.

a. VMware vCenter, ESXi and ESX NFC protocol memory corruption    vulnerability

   VMware vCenter Server, ESXi and ESX contain a vulnerability in the    handling of the Network File Copy (NFC) protocol. To exploit this    vulnerability, an attacker must intercept and modify the NFC    traffic between vCenter Server and the client or ESXi/ESX and the    client.  Exploitation of the issue may lead to code execution.

   To reduce the likelihood of exploitation, vSphere components should    be deployed on an isolated management network

   VMware would like to thank Alex Chapman of Context Information    Security for reporting this issue to us. 

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2013-1659 to this issue.

b. VirtualCenter, ESX and ESXi Oracle (Sun) JRE update 1.5.0_38

   Oracle (Sun) JRE is updated to version 1.5.0_38, which addresses    multiple security issues that existed in earlier releases of    Oracle (Sun) JRE. 

   Oracle has documented the CVE identifiers that are addressed    in JRE 1.5.0_38 in the Oracle Java SE Critical Patch Update    Advisory of October 2012. 

c. Update to ESX service console OpenSSL RPM 

   The service console OpenSSL RPM is updated to version    openssl-0.9.7a.33.28.i686 to resolve multiple security issues. 

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2012-2110 to this issue.

ID	Name	Product	Family	Severity
89663	VMware ESX / ESXi NFC and Third-Party Libraries Multiple Vulnerabilities (VMSA-2013-0003) (remote check)	Nessus	Misc.	critical
70888	ESXi 5.1 < Build 911593 Multiple Vulnerabilities (remote check)	Nessus	Misc.	high
70885	ESXi 5.0 < Build 912577 Multiple Vulnerabilities (remote check)	Nessus	Misc.	high
65223	VMware vCenter Server NFC Protocol Code Execution (VMSA-2013-0003)	Nessus	Misc.	high
64812	VMSA-2013-0003 : VMware vCenter Server, ESXi and ESX address an NFC Protocol memory corruption and third-party library security issues.	Nessus	VMware ESX Local Security Checks	high

Detections

Analytics

CVE-2013-1659

high

Tenable Plugins

critical

high

high

high

high