Summary
The host is installed with VMWare products tools local privilege escalation vulnerability.
Impact
Successful exploitation will allow attacker to execute arbitrary code with elevated privileges, this may aid in other attacks.
Impact Level: System/Application
Solution
Upgrade to workstation 6.5.5 build 328052 or 7.1.2 build 301548 http://www.vmware.com/products/ws/
Upgrade to player 2.5.5 build 328052 to 3.1.2 build 301548 http://www.vmware.com/products/player/
For VMware Server version 2.x ,
No solution or patch was made available for at least one year since disclosure of this vulnerability. Likely none will be provided anymore.
General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.
Insight
The flaw is due to an error in Tools update functionality, which allows host OS users to gain privileges on the guest OS via unspecified vectors.
Affected
VMware Server version 2.x
VMware Player 2.5.x before 2.5.5 build 328052 and 3.1.x before 3.1.2 build 301548 VMware Workstation 6.5.x before 6.5.5 build 328052 and 7.x before 7.1.2 build 301548
References
Severity
Classification
-
CVE CVE-2010-4297 -
CVSS Base Score: 7.2
AV:L/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Adobe AIR Code Execution and DoS Vulnerabilities Nov13 (Windows)
- Adobe Air Remote Code Execution Vulnerability -June13 (Windows)
- Adobe Flash Player 'SWF' File Multiple Code Execution Vulnerability - Mac OS X
- Adobe AIR Code Execution and DoS Vulnerabilities Nov13 (Mac OS X)
- Adobe Air Remote Code Execution Vulnerability -June13 (Mac OS X)