Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-264: VMware Products Directory Traversal Vulnerability

[CVE-2009-3733]

November 3, 2009 15:00 GMT
PROBLEM: VMware products are prone to a directory-traversal vulnerability because they fail to sufficiently sanitize user-supplied input data.
PLATFORM: VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5
ABSTRACT: Directory traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files via unspecified vectors.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-264.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/36842/info

  CVE: CVE-2009-3733
IMPACT ASSESSMENT: This risk is medium. Exploiting the issue may allow an attacker to obtain sensitive information from the host operating system that could aid in further attacks. 
[***** Start CVE-2009-3733 *****]
Discussion:
A directory traversal vulnerability allows for remote retrieval of any file from the host system. In order to send a malicious request, the attacker will need to have access to the network on which the host resides.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3733 to this issue. 

Vulnerable:
VMWare Server 2.0.1 build 156745
VMWare Server 2.0.1
VMWare Server 1.0.9 build 156507
VMWare Server 1.0.9
VMWare Server 1.0.8 build 126538
VMWare Server 1.0.8
VMWare Server 1.0.7 build 108231
VMWare Server 1.0.7
VMWare Server 1.0.6 build 91891
VMWare Server 1.0.6
VMWare Server 1.0.5 Build 80187
VMWare Server 1.0.5
VMWare Server 1.0.4
VMWare Server 1.0.3
VMWare Server 1.0.2
VMWare Server 2.0
VMWare ESXi Server 3.5 ESXe350-20090440
VMWare ESXi Server 3.5
VMWare ESX Server 3.0.3
VMWare ESX Server 3.0.3
VMWare ESX Server 3.5 ESX350-200906407
VMWare ESX Server 3.5 ESX350-200904401
VMWare ESX Server 3.5

Solution:
The vendor has released an advisory and updates. Please see the below for details.

VMWare ESXi Server 3.5

* VMWare ESXe350-200901401-O-SG.zip
http://download3.vmware.com/software/vi/ESXe350-200901401-O-SG.zip

* VMWare ESXe350-200901401-O-SG.zip
ESXi 3.5 patch ESXe350-200901401-I-SG (Directory Traversal)
      http://download3.vmware.com/software/vi/ESXe350-200901401-O-SG.zip

VMWare Server 1.0.9

* VMWare VMware-server-1.0.10-203137.i386.rpm
VMware Server for Linux rpm
http://download3.vmware.com/software/vmserver/VMware-server-1.0.10-203 137.i386.rpm

* VMWare VMware-server-1.0.10-203137.tar.gz
VMware Server for Linux
http://download3.vmware.com/software/vmserver/VMware-server-1.0.10-203 137.tar.gz

* VMWare VMware-server-installer-1.0.10-203137.exe
VMware Server for Windows 32-bit and 64-bit
http://download3.vmware.com/software/vmserver/VMware-server-installer- 1.0.10-203137.exe

* VMWare VMware-server-linux-client-1.0.10-203137.zip
VMware Server Linux client package
http://download3.vmware.com/software/vmserver/VMware-server-linux-clie nt-1.0.10-203137.zip

* VMWare VMware-server-win32-client-1.0.10-203137.zip
VMware Server Windows client package
http://download3.vmware.com/software/vmserver/VMware-server-win32-clie nt-1.0.10-203137.zip


VMWare ESX Server 3.0.3

* VMWare ESX303-200812406-BG.zip
ESX 3.0.3 patch ESX303-200812406-BG (Directory Traversal)
http://download3.vmware.com/software/vi/ESX303-200812406-BG.zip

[***** End CVE-2009-3733 *****]
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788