Vulnerability CVE-2008-4278 - CERT Civis.Net

Vulnerability Name:

CVE-2008-4278 (CCN-45664)

Assigned:

2008-10-03

Published:

2008-10-03

Updated:

2018-10-11

Summary:

VMware VirtualCenter 2.5 before Update 3 build 119838 on Windows displays a user's password in cleartext when the password contains unspecified special characters, which allows physically proximate attackers to steal the password.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2008-4278

Source: BUGTRAQ
Type: UNKNOWN
20081004 VMSA-2008-0016 VMware Hosted products, VirtualCenter Update 3 and

Source: CCN
Type: SA32179
VMware VirtualCenter Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
32179

Source: CCN
Type: SA32180
VMware ESX Server Sun Java JDK / JRE Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
32180

Source: CCN
Type: SECTRACK ID: 1020992
VMware VirtualCenter May Display the User's Password in Clear Text

Source: CCN
Type: OSVDB ID: 49089
VMware VirtualCenter Unspecified User Password Cleartext Disclosure

Source: BUGTRAQ
Type: UNKNOWN
20081004 VMSA-2008-0016 VMware Hosted products, VirtualCenter Update 3 and patches for ESX and ESXi resolve multiple security issues

Source: BID
Type: UNKNOWN
31569

Source: CCN
Type: BID-31569
VMware Products In-Guest Privilege Escalation and Information Disclosure Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1020992

Source: CCN
Type: VMSA-2008-0016
VMware Hosted products, VirtualCenter Update 3 and patches for ESX and ESXi resolve multiple security issues

Source: CONFIRM
Type: Patch
http://www.vmware.com/security/advisories/VMSA-2008-0016.html

Source: VUPEN
Type: UNKNOWN
ADV-2008-2740

Source: XF
Type: UNKNOWN
vmware-virtualcenter-info-disclosure(45664)

Source: XF
Type: UNKNOWN
vmware-virtualcenter-info-disclosure(45664)

Vulnerable Configuration:

Configuration 1:

cpe:/a:vmware:virtual_infrastructure_client:*:*:*:*:*:*:*:*

OR cpe:/a:vmware:virtualcenter:1.4.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:virtualcenter:2.0:unknown:client:*:*:*:*:*

OR cpe:/a:vmware:virtualcenter:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:virtualcenter:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:vmware:virtualcenter:2.0.2:update_2:*:*:*:*:*:*

OR cpe:/a:vmware:virtualcenter:2.0.2:update_3:*:*:*:*:*:*

OR cpe:/a:vmware:virtualcenter:2.0.2:update_4:*:*:*:*:*:*

OR cpe:/a:vmware:virtualcenter:2.5:*:*:*:*:*:*:*

OR cpe:/a:vmware:virtualcenter:2.5:update_1:*:*:*:*:*:*

OR cpe:/a:vmware:virtualcenter:*:update_2:*:*:*:*:*:* (Version <= 2.5)

AND

cpe:/o:microsoft:windows:*:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:vmware:virtualcenter:2.5:*:*:*:*:*:*:*

Denotes that component is vulnerable