Vulnerability Name:

CVE-2016-5330 (CCN-115831)

Assigned:2016-08-04
Published:2016-08-04
Updated:2021-11-05
Summary:Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 through 6.0, VMware Workstation Pro 12.1.x before 12.1.1, VMware Workstation Player 12.1.x before 12.1.1, and VMware Fusion 8.1.x before 8.1.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory.
CVSS v3 Severity:7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
7.2 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
8.2 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:4.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-426
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2016-5330

Source: MISC
Type: Third Party Advisory
http://www.rapid7.com/db/modules/exploit/windows/misc/vmhgfs_webdav_dll_sideload

Source: BUGTRAQ
Type: Third Party Advisory, VDB Entry
20160805 DLL side loading vulnerability in VMware Host Guest Client Redirector

Source: BID
Type: Third Party Advisory, VDB Entry
92323

Source: CCN
Type: BID-92323
VMware Tools CVE-2016-5330 DLL Loading Remote Code Execution Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1036544

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1036545

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1036619

Source: CCN
Type: VMware Security Advisory VMSA-2016-0010
VMware product updates address multiple security issues

Source: CONFIRM
Type: Mitigation, Vendor Advisory
http://www.vmware.com/security/advisories/VMSA-2016-0010.html

Source: XF
Type: UNKNOWN
vmware-cve20165330-code-exec(115831)

Source: CCN
Type: Packet Storm Security [08-11-2016]
DLL Side Loading In VMware Host Guest Client Redirector

Source: MISC
Type: Exploit, Third Party Advisory
https://securify.nl/advisory/SFY20151201/dll_side_loading_vulnerability_in_vmware_host_guest_client_redirector.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:vmware:workstation_player:*:*:*:*:*:*:*:* (Version >= 12.1.0 and < 12.1.1)
  • OR cpe:/a:vmware:workstation_pro:*:*:*:*:*:*:*:* (Version >= 12.1.0 and < 12.1.1)
  • OR cpe:/o:vmware:esxi:*:*:*:*:*:*:*:* (Version >= 5.0 and <= 6.0)

    • Configuration 2:
  • cpe:/a:vmware:fusion:*:*:*:*:*:*:*:* (Version >= 8.1 and < 8.1.1)
  • AND
  • cpe:/o:apple:mac_os_x:-:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:vmware:tools:*:*:*:*:*:*:*:* (Version >= 9.0.0 and <= 10.3.22)
  • AND
  • cpe:/o:microsoft:windows:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:vmware:esxi:5.0:*:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:5.5:*:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:5.1:*:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:workstation_player:12.1:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:fusion:8.1:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:tools:10.0.5:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    vmware workstation player *
    vmware workstation pro *
    vmware esxi *
    vmware fusion *
    apple mac os x -
    vmware tools *
    microsoft windows -
    vmware esxi 5.0
    vmware esxi 5.5
    vmware esxi 5.1
    vmware esxi 6.0
    vmware workstation player 12.1
    vmware fusion 8.1
    vmware tools 10.0.5