VMware Tools update OS Command Injection

JDMurrayJDMurray Admin Posts: 13,101 Admin
"VMware Server Infrastructure Web Access is prone to remote command
execution vulnerability because the software fails to adequately
sanitize user-supplied input."

"When Updating the VMTools on a certain Guest Virtual Machine, a command
injection attack can be executed if specially crafted parameters are sent.
Successful attacks can compromise the affected Guest Virtual Machine
with root privileges."


VMware Tools update OS Command Injection


I'm gonna assume the same types of vulnerabilities are in the VMware VI API too. icon_sad.gif

Comments

  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    Thankfully (for me), it doesn't affect Windows VM's
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    Only if you have the latest patch installed, otherwise it looks like VMware Tools is vulnerable regardless of the OS it is installed on.
  • azjagazjag Member Posts: 579 ■■■■■■■□□□
    JDMurray wrote: »
    Only if you have the latest patch installed, otherwise it looks like VMware Tools is vulnerable regardless of the OS it is installed on.

    Thanks for the heads up on this one. I'm scheduled to update "out of date" tools on about 100 guest machines this coming weekend. Might have to research alternative methods for running mass updates.
    Currently Studying:
    VMware Certified Advanced Professional 5 – Data Center Administration (VCAP5-DCA) (Passed)
    VMware Certified Advanced Professional 5 – Data Center Design (VCAP5-DCD)
Sign In or Register to comment.