482200 – (CVE-2013-1662) app-emulation/vmware-{player,workstation}: "vmware-mount" Privilege Escalation Vulnerability (CVE-2013-1662)

Bug 482200 (CVE-2013-1662) - app-emulation/vmware-{player,workstation}: "vmware-mount" Privilege Escalation Vulnerability (CVE-2013-1662)

Summary: app-emulation/vmware-{player,workstation}: "vmware-mount" Privilege Escalatio...

Status:	RESOLVED INVALID

Alias:	CVE-2013-1662

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	https://secunia.com/advisories/54580/
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-08-23 10:10 UTC by Agostino Sarubbo
Modified:	2014-08-10 20:13 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-08-23 10:10:33 UTC

From ${URL} :

Description

A vulnerability has been reported in VMware Workstation and VMware Player, which can be exploited 
by malicious, local users to gain escalated privileges.

The vulnerability is caused due to an unspecified error within vmware-mount and can be exploited to 
escalate privileges to root on the host OS.

NOTE: The vulnerability affects only installations running on Debian-based Linux platforms.

The vulnerability is reported in the following products and versions:
* VMware Workstation versions 8.x and 9.x
* VMware Player versions 4.x and 5.x


Solution:
Apply updates or workarounds.

Further details available to Secunia VIM customers

Provided and/or discovered by:
The vendor credits Tavis Ormandy, Google Security Team.

Original Advisory:
VMware (VMSA-2013-0010):
http://www.vmware.com/security/advisories/VMSA-2013-0010.html


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.

Comment 1 Chris Reffett (RETIRED) gentoo-dev

2013-08-27 01:44:25 UTC

Well, some good news. vmware-player is unaffected, since the upstream advisory says that the fix is to remove the SUID bit from vmware-mount (which we install into /opt/vmware/bin/vmware-mount), and we do not set the SUID bit.

@vmware team: could you please check whether this also applies to vmware-workstation? If that is also unaffected, I think we're in good shape. I'm not 100% certain, though, since a) the upstream advisory says that removing SUID is a sufficient workaround for both player and workstation in addition to providing a fixed file for workstation, and b) the upstream release specifically mentions debian/ubuntu, so perhaps this is a packaging issue.

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2013-08-27 01:46:22 UTC

CVE-2013-1662 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1662):
  vmware-mount in VMware Workstation 8.x and 9.x and VMware Player 4.x and
  5.x, on systems based on Debian GNU/Linux, allows host OS users to gain host
  OS privileges via a crafted lsb_release binary in a directory in the PATH,
  related to use of the popen library function.

Comment 3 Chris Reffett (RETIRED) gentoo-dev

2013-08-27 01:47:11 UTC

From a reading of the CVE, it looks like this is almost certainly a packaging issue with Debian/Ubuntu. @vmware team: please verify this, then we can close this as INVALID.

Comment 4 Sean Amoss (RETIRED) gentoo-dev

2014-08-10 20:13:39 UTC

Agree that this appears to be a packaging issue on other distros. Closing INVALID.