** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Thomas Biege reported the following flaws: CVE-2009-1142 If vmware-user-suid-wrapper is setuid root and the function ChmodChownDirectory() (depends on define TOGGLE_VMBLOCK) is enabled it seems a local user can use links in /tmp to chown root:root arbitrary dirs and even chmod to 777. CVE-2009-1143 mount.vmhgfs/hgfsmounter is dereferencing symlinks in the mount target (mountPoint) using "realpath()", not considering race conditions. This can be exploited to mount given shares to arbitrary targets.
Mike, can you confirm if this is still a vulnerability that is present? Details are somewhat sparse as the bug is still not publically released and SUSE still has a restriction on their bug.
Regarding CVE-2009-1142, the ChmodChownDirectory function seems to have been removed several years ago; based on the tags, all versions currently in the gentoo repo do not include it. https://github.com/vmware/open-vm-tools/commit/76dccec4dd4002cec240e71e0042cdacfae6cca7 Regarding CVE-2009-1143, I still see realpath() being called, but I am not sure what race conditions might be present. https://github.com/vmware/open-vm-tools/blob/stable-10.0.7/open-vm-tools/hgfsmounter/hgfsmounter.c#L1122
Please see previous comment.
This is from 2016 - Can we close this bug?
This doesn't seem like an audit bug, but rather a regular securtiy@ bug. Reassigning. I'm not sure what to do here, I can't find any information on these CVEs 13 years later, MITRE only has them marked as reserved.
Ping Mike?
Both CVEs are public on SuSE's bugzilla. I don't see any reason to keep this bug private. https://bugzilla.suse.com/show_bug.cgi?id=474285 https://bugzilla.suse.com/show_bug.cgi?id=372070 As I mentioned in comment 2, the code relevant to CVE-2009-1142 was removed a long time ago. hgfsmounter was removed from the codebase before version 12.0.0 was tagged, which is relevant for CVE-2009-1143. https://github.com/vmware/open-vm-tools/commit/61331a189a0eeb76f014db28288b06c0323bc0b9 I have removed all versions older than 12.1.0 today. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cc24260ca8a40bb5deb8bb64ba63e24c77cc3e7
Thank you! We can probably just call this fixed due to age, and because it was ~ in 2011 so unlikely any stable versions ever existed.
Would you please give me a clear answer ? which OS have affected ? How can find my Linux is vulnerable or not ?
(In reply to Alex from comment #9) If you use the latest stable version available in Gentoo, you should be covered. I cannot speak about other distros.
(In reply to Mike Gilbert from comment #10) > (In reply to Alex from comment #9) > > If you use the latest stable version available in Gentoo, you should be > covered. > > I cannot speak about other distros. Does this vulnerability just on Gentoo ? Because we have other distro such as ubuntu that are using open-vm-tools
No, it is not Gentoo specific. Per the above comments, it's unlikely that it affects newer versions. Please contact the vendor if you have questions, we can't help with other distros.
