Vulnerability CVE-2009-2267 - CERT Civis.Net

Vulnerability Name:

CVE-2009-2267 (CCN-54013)

Assigned:

2009-10-27

Published:

2009-10-27

Updated:

2018-10-10

Summary:

VMware Workstation 6.5.x before 6.5.3 build 185404, VMware Player 2.5.x before 2.5.3 build 185404, VMware ACE 2.5.x before 2.5.3 build 185404, VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138, VMware Fusion 2.x before 2.0.6 build 196839, VMware ESXi 3.5 and 4.0, and VMware ESX 2.5.5, 3.0.3, 3.5, and 4.0, when Virtual-8086 mode is used, do not properly set the exception code upon a page fault (aka #PF) exception, which allows guest OS users to gain privileges on the guest OS by specifying a crafted value for the cs register.

CVSS v3 Severity:

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)
5.1 Medium (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.4 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2009-2267

Source: CCN
Type: Full-disclosure Mailing list, Tue Oct 27 19:15:31 GMT 2009
Invalid #PF Exception Code in VMware can result in Guest Privilege Escalation

Source: MLIST
Type: Vendor Advisory
[security-announce] 20091027 VMSA-2009-0015 VMware hosted products and ESX patches resolve two security issues

Source: CCN
Type: SA37172
VMware Products Guest Privilege Escalation Vulnerability

Source: SECUNIA
Type: Vendor Advisory
37172

Source: GENTOO
Type: UNKNOWN
GLSA-201209-25

Source: CCN
Type: SECTRACK ID: 1023082
VMware Page Fault Exception Handling Flaw Lets Local Users on a Guest OS Gain Elevated Privileges on the Guest OS

Source: SECTRACK
Type: UNKNOWN
1023082

Source: CCN
Type: SECTRACK ID: 1023083
VMware ESX Page Fault Exception Handling Flaw Lets Local Users on a Guest OS Gain Elevated Privileges on the Guest OS

Source: SECTRACK
Type: UNKNOWN
1023083

Source: CCN
Type: OSVDB ID: 59441
VMware Multiple Products Guest OS Page Fault Local Privilege Escalation

Source: BUGTRAQ
Type: UNKNOWN
20091027 VMSA-2009-0015 VMware hosted products and ESX patches resolve two security issues

Source: BUGTRAQ
Type: UNKNOWN
20091027 Invalid #PF Exception Code in VMware can result in Guest Privilege Escalation

Source: BID
Type: Exploit
36841

Source: CCN
Type: BID-36841
VMware Products Page Fault Exception Local Privilege Escalation Vulnerability

Source: CCN
Type: VMSA-2009-0015
VMware hosted products and ESX patches resolve two security issues

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.vmware.com/security/advisories/VMSA-2009-0015.html

Source: VUPEN
Type: Vendor Advisory
ADV-2009-3062

Source: XF
Type: UNKNOWN
vmware-pagefault-priv-escalation(54013)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:8473

Vulnerable Configuration:

Configuration 1:

cpe:/a:vmware:ace:2.5.0:*:*:*:*:*:*:*

OR cpe:/a:vmware:ace:2.5.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:ace:2.5.2:*:*:*:*:*:*:*

OR cpe:/a:vmware:esx:2.5.5:*:*:*:*:*:*:*

OR cpe:/a:vmware:esx:3.0.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:esx:3.5:*:*:*:*:*:*:*

OR cpe:/a:vmware:esx:4.0:*:*:*:*:*:*:*

OR cpe:/a:vmware:esxi:3.5:*:*:*:*:*:*:*

OR cpe:/a:vmware:esxi:4.0:*:*:*:*:*:*:*

OR cpe:/a:vmware:fusion:2.0:*:*:*:*:*:*:*

OR cpe:/a:vmware:fusion:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:fusion:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:vmware:fusion:2.0.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:fusion:2.0.4:*:*:*:*:*:*:*

OR cpe:/a:vmware:fusion:2.0.5:*:*:*:*:*:*:*

OR cpe:/a:vmware:player:2.5:*:*:*:*:*:*:*

OR cpe:/a:vmware:player:2.5.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:player:2.5.2:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.4:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.5:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.6:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.7:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.8:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.9:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:2.0:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:2.0:rc2:*:*:*:*:*:*

OR cpe:/a:vmware:server:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:6.5.0:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:6.5.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:6.5.2:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:vmware:esx_server:2.5.5:*:*:*:*:*:*:*

OR cpe:/o:vmware:esx:2.0:build_5257:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:esx_server:3.5:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.4:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.5:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.7:*:*:*:*:*:*:*

OR cpe:/a:vmware:esx_server:3.0.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.6:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.8:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:6.5:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:2.0:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.9:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:6.5.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:ace:2.5.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:fusion:2.0.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:fusion:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:vmware:fusion:2.0:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:6.5.2:*:*:*:*:*:*:*

OR cpe:/a:vmware:ace:2.5.2:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:6.5.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:fusion:2.0.5:*:*:*:*:*:*:*

OR cpe:/a:vmware:fusion:2.0.4:*:*:*:*:*:*:*

OR cpe:/a:vmware:player:2.5.2:*:*:*:*:*:*:*

OR cpe:/a:vmware:player:2.5.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:player:2.5:*:*:*:*:*:*:*

OR cpe:/a:vmware:player:2.5.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:fusion:2.0.6:*:*:*:*:*:*:*

OR cpe:/a:vmware:esx_server:4.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:8473	V	VMware improper setting of the exception code on page faults vulnerability	2014-01-20