Bug 2158066 (CVE-2009-1143)

Summary: CVE-2009-1143 open-vm-tools: access bypass due to realpath race condition in mount.vmhgfs (aka hgfsmounter)
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact: ldu <ldu>
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: cavery, ddepaula, eterrell, jen, jferlan, jsavanyo, jwolfe, kyoshida, ldu, leiwang, mrezanin, ravindrakumar, rjones, virt-maint, yacao
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: open-vm-tools stable-12.0.0 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in open-vm-tools. This flaw allows local users to bypass intended access restrictions on mounting shares via a symlink attack that leverages a realpath race condition in mount.vmhgfs (aka hgfsmounter).
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-13 10:03:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2159713, 2159714    
Bug Blocks: 2158067    

Description TEJ RATHI 2023-01-04 05:52:22 UTC
An issue was discovered in open-vm-tools 2009.03.18-154848. Local users can bypass intended access restrictions on mounting shares via a symlink attack that leverages a realpath race condition in mount.vmhgfs (aka hgfsmounter).

https://bugs.gentoo.org/264577
https://bugzilla.suse.com/show_bug.cgi?id=372070
https://github.com/vmware/open-vm-tools/releases/tag/2009.03.18-154848
https://github.com/vmware/open-vm-tools/commit/61331a189a0eeb76f014db28288b06c0323bc0b9 (stable-12.0.0)

Comment 4 John Wolfe 2023-01-16 17:35:37 UTC
Can someone explain why CVE-2009-1142 is relative to currently supported releases of open-vm-tools currently in use on Red Hat systems?

It appears that the offending code only concerned FreeBSD or Solaris guests and the code was removed from the open-vm-tools source in March of 2011.  See the last URL in this bug description.  As the git commit log is cummulative, accessing that URL

   https://github.com/vmware/open-vm-tools/commit/76dccec4dd4002cec240e71e0042cdacfae6cca7 (2011.03.28-387002)

shows the removal of the code in the history of the current 12.1.5 open-vm-tools (tag stable-12.1.5)

That is the only information that can be derived from this bug report.  The "depends" or "blocks" bugs are locked; the reason for this bug is not apparent from the information that is available.

If there is an issue that Vmware needs to address, we will need some more details.

Comment 5 Richard W.M. Jones 2023-01-16 17:47:43 UTC
FWIW I'm also confused about why a ~14y.o. bug has been resurrected.

Comment 6 John Wolfe 2023-01-16 18:45:19 UTC
@trathi 

Sorry, my previous comment 4 was about CVE-2009-1142; some of the links referenced both CVE-2009-1142 and CVE-2009-1143.

The removal of the ability of the hgfsmounter (mount.vmhgfs) command referenced in 
   https://github.com/vmware/open-vm-tools/commit/61331a189a0eeb76f014db28288b06c0323bc0b9

actually occurred in open-vm-tools 11.3.5.   Since the git commit log is cumulative, that change history will appear in the git logs of every open-vm-tools releases since 11.3.5.

The mount.vmhgfs command has to do with the mount of the HGFS filesystem using the vmblock.ko driver on Linux.  I do not believe that vmware driver was every uploaded to the Linux source tree and that all currently supported Red Hat open-vm-tools releases are using hgfs-fuse.

The actual removal of the command source had happened earlier and the change referenced here is simply some tech debt clean up in the congifigure/make files.

Comment 7 TEJ RATHI 2023-01-25 06:25:14 UTC
The hgfsmounter (mount.vmhgfs) command has been removed from open-vm-tools in 11.3.5 - https://github.com/vmware/open-vm-tools/blob/stable-11.3.5/ReleaseNotes.md.

Rhel-8.6.z and above are not affected, whereas RHEL-8.4.z and lower still uses affected versions.