Bug 2158066 (CVE-2009-1143)
Summary: | CVE-2009-1143 open-vm-tools: access bypass due to realpath race condition in mount.vmhgfs (aka hgfsmounter) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | TEJ RATHI <trathi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | ldu <ldu> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | cavery, ddepaula, eterrell, jen, jferlan, jsavanyo, jwolfe, kyoshida, ldu, leiwang, mrezanin, ravindrakumar, rjones, virt-maint, yacao |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | open-vm-tools stable-12.0.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A vulnerability was found in open-vm-tools. This flaw allows local users to bypass intended access restrictions on mounting shares via a symlink attack that leverages a realpath race condition in mount.vmhgfs (aka hgfsmounter).
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-04-13 10:03:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2159713, 2159714 | ||
Bug Blocks: | 2158067 |
Description
TEJ RATHI
2023-01-04 05:52:22 UTC
Can someone explain why CVE-2009-1142 is relative to currently supported releases of open-vm-tools currently in use on Red Hat systems? It appears that the offending code only concerned FreeBSD or Solaris guests and the code was removed from the open-vm-tools source in March of 2011. See the last URL in this bug description. As the git commit log is cummulative, accessing that URL https://github.com/vmware/open-vm-tools/commit/76dccec4dd4002cec240e71e0042cdacfae6cca7 (2011.03.28-387002) shows the removal of the code in the history of the current 12.1.5 open-vm-tools (tag stable-12.1.5) That is the only information that can be derived from this bug report. The "depends" or "blocks" bugs are locked; the reason for this bug is not apparent from the information that is available. If there is an issue that Vmware needs to address, we will need some more details. FWIW I'm also confused about why a ~14y.o. bug has been resurrected. @trathi Sorry, my previous comment 4 was about CVE-2009-1142; some of the links referenced both CVE-2009-1142 and CVE-2009-1143. The removal of the ability of the hgfsmounter (mount.vmhgfs) command referenced in https://github.com/vmware/open-vm-tools/commit/61331a189a0eeb76f014db28288b06c0323bc0b9 actually occurred in open-vm-tools 11.3.5. Since the git commit log is cumulative, that change history will appear in the git logs of every open-vm-tools releases since 11.3.5. The mount.vmhgfs command has to do with the mount of the HGFS filesystem using the vmblock.ko driver on Linux. I do not believe that vmware driver was every uploaded to the Linux source tree and that all currently supported Red Hat open-vm-tools releases are using hgfs-fuse. The actual removal of the command source had happened earlier and the change referenced here is simply some tech debt clean up in the congifigure/make files. The hgfsmounter (mount.vmhgfs) command has been removed from open-vm-tools in 11.3.5 - https://github.com/vmware/open-vm-tools/blob/stable-11.3.5/ReleaseNotes.md. Rhel-8.6.z and above are not affected, whereas RHEL-8.4.z and lower still uses affected versions. |