VMware Tools update OS Command Injection

JDMurrayJDMurray Certification InvigilatorSurf City, USAPosts: 11,293Admin Admin
"VMware Server Infrastructure Web Access is prone to remote command
execution vulnerability because the software fails to adequately
sanitize user-supplied input."

"When Updating the VMTools on a certain Guest Virtual Machine, a command
injection attack can be executed if specially crafted parameters are sent.
Successful attacks can compromise the affected Guest Virtual Machine
with root privileges."

VMware Tools update OS Command Injection


I'm gonna assume the same types of vulnerabilities are in the VMware VI API too. icon_sad.gif

Comments

  • blargoeblargoe Self-Described Huguenot NC, USAPosts: 4,170Member ■■■■■■■■■□
    Thankfully (for me), it doesn't affect Windows VM's
    IT guy since 12/00

    Recent: 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCSA 7, learning Ansible
    Future: RHCE? VCAP6.5-DCD?
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,293Admin Admin
    Only if you have the latest patch installed, otherwise it looks like VMware Tools is vulnerable regardless of the OS it is installed on.
  • azjagazjag Posts: 579Member
    JDMurray wrote: »
    Only if you have the latest patch installed, otherwise it looks like VMware Tools is vulnerable regardless of the OS it is installed on.

    Thanks for the heads up on this one. I'm scheduled to update "out of date" tools on about 100 guest machines this coming weekend. Might have to research alternative methods for running mass updates.
    Currently Studying:
    VMware Certified Advanced Professional 5 – Data Center Administration (VCAP5-DCA) (Passed)
    VMware Certified Advanced Professional 5 – Data Center Design (VCAP5-DCD)
Sign In or Register to comment.