Bug 2158065 (CVE-2009-1142) - CVE-2009-1142 open-vm-tools: privilege escalation if vmware-user-suid-wrapper is setuid root and the ChmodChownDirectory function is enabled
Summary: CVE-2009-1142 open-vm-tools: privilege escalation if vmware-user-suid-wrapper...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2009-1142
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: ldu
URL:
Whiteboard:
Depends On: 2160322 2160323 2160324
Blocks: 2158067
TreeView+ depends on / blocked
 
Reported: 2023-01-04 05:52 UTC by TEJ RATHI
Modified: 2023-01-26 07:52 UTC (History)
14 users (show)

Fixed In Version: open-vm-tools 2011.03.28-387002
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in open-vm-tools. This flaw allows local users to gain privileges via a symlink attack on /tmp files if the vmware-user-suid-wrapper is the setuid root and the ChmodChownDirectory function is enabled.
Clone Of:
Environment:
Last Closed: 2023-01-26 07:52:14 UTC
Embargoed:


Attachments (Terms of Use)

Description TEJ RATHI 2023-01-04 05:52:20 UTC
An issue was discovered in open-vm-tools 2009.03.18-154848. Local users can gain privileges via a symlink attack on /tmp files if vmware-user-suid-wrapper is setuid root and the ChmodChownDirectory function is enabled.

https://bugs.gentoo.org/264577
https://bugzilla.suse.com/show_bug.cgi?id=474285
https://github.com/vmware/open-vm-tools/releases/tag/2009.03.18-154848
https://github.com/vmware/open-vm-tools/commit/76dccec4dd4002cec240e71e0042cdacfae6cca7 (2011.03.28-387002)

Comment 1 Cathy Avery 2023-01-04 19:48:51 UTC
I looked at our open-vm-tools branches. All branches contained the introduction of TOGGLE_VMBLOCK/ChmodChownDirectory commit 1f9b3d7ffdb1dbd1f9b855bcd61c98676026e85e and all branches contained the removal commit 76dccec4dd4002cec240e71e0042cdacfae6cca7. Plus I doubt we would build with TOGGLE_VMBLOCK on anyway. So this should not be a problem.

Comment 2 Cathy Avery 2023-01-04 19:50:19 UTC
Mirek do you concur?

Comment 3 TEJ RATHI 2023-01-12 04:45:22 UTC
Created open-vm-tools tracking bugs for this issue:

Affects: fedora-all [bug 2160322]

Comment 7 John Wolfe 2023-01-16 17:34:31 UTC
Can someone explain why CVE-2009-1142 is relative to currently supported releases of open-vm-tools currently in use on Red Hat systems?

It appears that the offending code only concerned FreeBSD or Solaris guests and the code was removed from the open-vm-tools source in March of 2011.  See the last URL in this bug description.  As the git commit log is cummulative, accessing that URL

   https://github.com/vmware/open-vm-tools/commit/76dccec4dd4002cec240e71e0042cdacfae6cca7 (2011.03.28-387002)

shows the removal of the code in the history of the current 12.1.5 open-vm-tools (tag stable-12.1.5)

That is the only information that can be derived from this bug report.  The "depends" or "blocks" bugs are locked; the reason for this bug is not apparent from the information that is available.

If there is an issue that Vmware needs to address, we will need some more details.

Comment 9 Cathy Avery 2023-01-17 12:36:12 UTC
(In reply to John Wolfe from comment #7)
> Can someone explain why CVE-2009-1142 is relative to currently supported
> releases of open-vm-tools currently in use on Red Hat systems?
> 
> It appears that the offending code only concerned FreeBSD or Solaris guests
> and the code was removed from the open-vm-tools source in March of 2011. 
> See the last URL in this bug description.  As the git commit log is
> cummulative, accessing that URL
> 
>   
> https://github.com/vmware/open-vm-tools/commit/
> 76dccec4dd4002cec240e71e0042cdacfae6cca7 (2011.03.28-387002)
> 
> shows the removal of the code in the history of the current 12.1.5
> open-vm-tools (tag stable-12.1.5)
> 
> That is the only information that can be derived from this bug report.  The
> "depends" or "blocks" bugs are locked; the reason for this bug is not
> apparent from the information that is available.
> 
> If there is an issue that Vmware needs to address, we will need some more
> details.

Hi John,

The offending code has been verified as not present in our releases so this is a non issue.

Thanks!

Comment 11 Product Security DevOps Team 2023-01-26 07:52:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2009-1142


Note You need to log in before you can comment on or make changes to this bug.