VMware Local Security Checks : VMware ESXi/ESX address several security issues (VMSA-2014-0001)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.103884

Kategorie: VMware Local Security Checks

Titel: VMware ESXi/ESX address several security issues (VMSA-2014-0001)

Zusammenfassung: VMware ESXi and ESX address several security issues.

Beschreibung: Summary:
VMware ESXi and ESX address several security issues.

Vulnerability Insight:
a. VMware ESXi and ESX NFC NULL pointer dereference

VMware ESXi and ESX contain a NULL pointer dereference in the handling
of the Network File Copy (NFC) traffic. To exploit this vulnerability,
an attacker must intercept and modify the NFC traffic between
ESXi/ESX and the client. Exploitation of the issue may lead to a
Denial of Service.

To reduce the likelihood of exploitation, vSphere components should be
deployed on an isolated management network.

b. VMware VMX process denial of service vulnerability

Due to a flaw in the handling of invalid ports, it is possible to
cause the VMX process to fail. This vulnerability may allow a guest
user to affect the VMX process resulting in a partial denial of
service on the host.

c. VMware vCloud Director Cross Site Request Forgery (CSRF)

VMware vCloud Director contains a vulnerability in the Hyper Text
Transfer Protocol (http) session management. An attacker may trick
an authenticated user to click a malicious link, which would result
in the user being logged out. The user is able to immediately log
back into the system.

Affected Software/OS:
VMware ESXi 5.1 without patch ESXi510-201401101

VMware ESXi 5.0 without patch ESXi500-201310101

VMware ESXi 4.1 without patch ESXi410-201312401

VMware ESXi 4.0 without patch ESXi400-201310401

VMware ESX 4.1 without patch ESX410-201312401

VMware ESX 4.0 without patch ESX400-201310401

Solution:
Apply the missing patch(es).

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2014-1207
BugTraq ID: 64995
http://www.securityfocus.com/bid/64995
http://osvdb.org/102196
http://www.securitytracker.com/id/1029643
http://secunia.com/advisories/56499
XForce ISS Database: vmware-esx-cve20141207-dos(90559)
https://exchange.xforce.ibmcloud.com/vulnerabilities/90559
Common Vulnerability Exposure (CVE) ID: CVE-2014-1208
BugTraq ID: 64994
http://www.securityfocus.com/bid/64994
http://osvdb.org/102197
http://www.securitytracker.com/id/1029644
XForce ISS Database: vmware-esx-cve20141208-dos(90558)
https://exchange.xforce.ibmcloud.com/vulnerabilities/90558
Common Vulnerability Exposure (CVE) ID: CVE-2014-1211
BugTraq ID: 64993
http://www.securityfocus.com/bid/64993
http://osvdb.org/102198
http://www.securitytracker.com/id/1029645
XForce ISS Database: vmware-vcloud-cve20141211-csrf(90560)
https://exchange.xforce.ibmcloud.com/vulnerabilities/90560

Copyright Copyright (C) 2014 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.103884
Kategorie:	VMware Local Security Checks
Titel:	VMware ESXi/ESX address several security issues (VMSA-2014-0001)
Zusammenfassung:	VMware ESXi and ESX address several security issues.
Beschreibung:	Summary: VMware ESXi and ESX address several security issues. Vulnerability Insight: a. VMware ESXi and ESX NFC NULL pointer dereference VMware ESXi and ESX contain a NULL pointer dereference in the handling of the Network File Copy (NFC) traffic. To exploit this vulnerability, an attacker must intercept and modify the NFC traffic between ESXi/ESX and the client. Exploitation of the issue may lead to a Denial of Service. To reduce the likelihood of exploitation, vSphere components should be deployed on an isolated management network. b. VMware VMX process denial of service vulnerability Due to a flaw in the handling of invalid ports, it is possible to cause the VMX process to fail. This vulnerability may allow a guest user to affect the VMX process resulting in a partial denial of service on the host. c. VMware vCloud Director Cross Site Request Forgery (CSRF) VMware vCloud Director contains a vulnerability in the Hyper Text Transfer Protocol (http) session management. An attacker may trick an authenticated user to click a malicious link, which would result in the user being logged out. The user is able to immediately log back into the system. Affected Software/OS: VMware ESXi 5.1 without patch ESXi510-201401101 VMware ESXi 5.0 without patch ESXi500-201310101 VMware ESXi 4.1 without patch ESXi410-201312401 VMware ESXi 4.0 without patch ESXi400-201310401 VMware ESX 4.1 without patch ESX410-201312401 VMware ESX 4.0 without patch ESX400-201310401 Solution: Apply the missing patch(es). CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2014-1207 BugTraq ID: 64995 http://www.securityfocus.com/bid/64995 http://osvdb.org/102196 http://www.securitytracker.com/id/1029643 http://secunia.com/advisories/56499 XForce ISS Database: vmware-esx-cve20141207-dos(90559) https://exchange.xforce.ibmcloud.com/vulnerabilities/90559 Common Vulnerability Exposure (CVE) ID: CVE-2014-1208 BugTraq ID: 64994 http://www.securityfocus.com/bid/64994 http://osvdb.org/102197 http://www.securitytracker.com/id/1029644 XForce ISS Database: vmware-esx-cve20141208-dos(90558) https://exchange.xforce.ibmcloud.com/vulnerabilities/90558 Common Vulnerability Exposure (CVE) ID: CVE-2014-1211 BugTraq ID: 64993 http://www.securityfocus.com/bid/64993 http://osvdb.org/102198 http://www.securitytracker.com/id/1029645 XForce ISS Database: vmware-vcloud-cve20141211-csrf(90560) https://exchange.xforce.ibmcloud.com/vulnerabilities/90560
Copyright	Copyright (C) 2014 Greenbone AG