Bug 2158065 (CVE-2009-1142)

Summary: CVE-2009-1142 open-vm-tools: privilege escalation if vmware-user-suid-wrapper is setuid root and the ChmodChownDirectory function is enabled
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact: ldu <ldu>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cavery, ddepaula, eterrell, jen, jferlan, jsavanyo, jwolfe, kyoshida, ldu, leiwang, mrezanin, ravindrakumar, virt-maint, yacao
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: open-vm-tools 2011.03.28-387002 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in open-vm-tools. This flaw allows local users to gain privileges via a symlink attack on /tmp files if the vmware-user-suid-wrapper is the setuid root and the ChmodChownDirectory function is enabled.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-26 07:52:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2160322, 2160323, 2160324    
Bug Blocks: 2158067    

Description TEJ RATHI 2023-01-04 05:52:20 UTC 
An issue was discovered in open-vm-tools 2009.03.18-154848. Local users can gain privileges via a symlink attack on /tmp files if vmware-user-suid-wrapper is setuid root and the ChmodChownDirectory function is enabled.

https://bugs.gentoo.org/264577
https://bugzilla.suse.com/show_bug.cgi?id=474285
https://github.com/vmware/open-vm-tools/releases/tag/2009.03.18-154848
https://github.com/vmware/open-vm-tools/commit/76dccec4dd4002cec240e71e0042cdacfae6cca7 (2011.03.28-387002)
Comment 1 Cathy Avery 2023-01-04 19:48:51 UTC 
I looked at our open-vm-tools branches. All branches contained the introduction of TOGGLE_VMBLOCK/ChmodChownDirectory commit 1f9b3d7ffdb1dbd1f9b855bcd61c98676026e85e and all branches contained the removal commit 76dccec4dd4002cec240e71e0042cdacfae6cca7. Plus I doubt we would build with TOGGLE_VMBLOCK on anyway. So this should not be a problem.
Comment 2 Cathy Avery 2023-01-04 19:50:19 UTC 
Mirek do you concur?
Comment 3 TEJ RATHI 2023-01-12 04:45:22 UTC 
Created open-vm-tools tracking bugs for this issue:

Affects: fedora-all [bug 2160322]
Comment 7 John Wolfe 2023-01-16 17:34:31 UTC 
Can someone explain why CVE-2009-1142 is relative to currently supported releases of open-vm-tools currently in use on Red Hat systems?

It appears that the offending code only concerned FreeBSD or Solaris guests and the code was removed from the open-vm-tools source in March of 2011.  See the last URL in this bug description.  As the git commit log is cummulative, accessing that URL

   https://github.com/vmware/open-vm-tools/commit/76dccec4dd4002cec240e71e0042cdacfae6cca7 (2011.03.28-387002)

shows the removal of the code in the history of the current 12.1.5 open-vm-tools (tag stable-12.1.5)

That is the only information that can be derived from this bug report.  The "depends" or "blocks" bugs are locked; the reason for this bug is not apparent from the information that is available.

If there is an issue that Vmware needs to address, we will need some more details.
Comment 9 Cathy Avery 2023-01-17 12:36:12 UTC 
(In reply to John Wolfe from comment #7)
> Can someone explain why CVE-2009-1142 is relative to currently supported
> releases of open-vm-tools currently in use on Red Hat systems?
> 
> It appears that the offending code only concerned FreeBSD or Solaris guests
> and the code was removed from the open-vm-tools source in March of 2011. 
> See the last URL in this bug description.  As the git commit log is
> cummulative, accessing that URL
> 
>   
> https://github.com/vmware/open-vm-tools/commit/
> 76dccec4dd4002cec240e71e0042cdacfae6cca7 (2011.03.28-387002)
> 
> shows the removal of the code in the history of the current 12.1.5
> open-vm-tools (tag stable-12.1.5)
> 
> That is the only information that can be derived from this bug report.  The
> "depends" or "blocks" bugs are locked; the reason for this bug is not
> apparent from the information that is available.
> 
> If there is an issue that Vmware needs to address, we will need some more
> details.

Hi John,

The offending code has been verified as not present in our releases so this is a non issue.

Thanks!
Comment 11 Product Security DevOps Team 2023-01-26 07:52:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2009-1142