Bug 2158066 (CVE-2009-1143) - CVE-2009-1143 open-vm-tools: access bypass due to realpath race condition in mount.vmhgfs (aka hgfsmounter)
Summary: CVE-2009-1143 open-vm-tools: access bypass due to realpath race condition in ...
Keywords:
Status: NEW
Alias: CVE-2009-1143
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: ldu
URL:
Whiteboard:
Depends On: 2159713 2159714
Blocks: 2158067
TreeView+ depends on / blocked
 
Reported: 2023-01-04 05:52 UTC by TEJ RATHI
Modified: 2023-01-25 06:25 UTC (History)
15 users (show)

Fixed In Version: open-vm-tools stable-12.0.0
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in open-vm-tools. This flaw allows local users to bypass intended access restrictions on mounting shares via a symlink attack that leverages a realpath race condition in mount.vmhgfs (aka hgfsmounter).
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description TEJ RATHI 2023-01-04 05:52:22 UTC
An issue was discovered in open-vm-tools 2009.03.18-154848. Local users can bypass intended access restrictions on mounting shares via a symlink attack that leverages a realpath race condition in mount.vmhgfs (aka hgfsmounter).

https://bugs.gentoo.org/264577
https://bugzilla.suse.com/show_bug.cgi?id=372070
https://github.com/vmware/open-vm-tools/releases/tag/2009.03.18-154848
https://github.com/vmware/open-vm-tools/commit/61331a189a0eeb76f014db28288b06c0323bc0b9 (stable-12.0.0)

Comment 4 John Wolfe 2023-01-16 17:35:37 UTC
Can someone explain why CVE-2009-1142 is relative to currently supported releases of open-vm-tools currently in use on Red Hat systems?

It appears that the offending code only concerned FreeBSD or Solaris guests and the code was removed from the open-vm-tools source in March of 2011.  See the last URL in this bug description.  As the git commit log is cummulative, accessing that URL

   https://github.com/vmware/open-vm-tools/commit/76dccec4dd4002cec240e71e0042cdacfae6cca7 (2011.03.28-387002)

shows the removal of the code in the history of the current 12.1.5 open-vm-tools (tag stable-12.1.5)

That is the only information that can be derived from this bug report.  The "depends" or "blocks" bugs are locked; the reason for this bug is not apparent from the information that is available.

If there is an issue that Vmware needs to address, we will need some more details.

Comment 5 Richard W.M. Jones 2023-01-16 17:47:43 UTC
FWIW I'm also confused about why a ~14y.o. bug has been resurrected.

Comment 6 John Wolfe 2023-01-16 18:45:19 UTC
@trathi 

Sorry, my previous comment 4 was about CVE-2009-1142; some of the links referenced both CVE-2009-1142 and CVE-2009-1143.

The removal of the ability of the hgfsmounter (mount.vmhgfs) command referenced in 
   https://github.com/vmware/open-vm-tools/commit/61331a189a0eeb76f014db28288b06c0323bc0b9

actually occurred in open-vm-tools 11.3.5.   Since the git commit log is cumulative, that change history will appear in the git logs of every open-vm-tools releases since 11.3.5.

The mount.vmhgfs command has to do with the mount of the HGFS filesystem using the vmblock.ko driver on Linux.  I do not believe that vmware driver was every uploaded to the Linux source tree and that all currently supported Red Hat open-vm-tools releases are using hgfs-fuse.

The actual removal of the command source had happened earlier and the change referenced here is simply some tech debt clean up in the congifigure/make files.

Comment 7 TEJ RATHI 2023-01-25 06:25:14 UTC
The hgfsmounter (mount.vmhgfs) command has been removed from open-vm-tools in 11.3.5 - https://github.com/vmware/open-vm-tools/blob/stable-11.3.5/ReleaseNotes.md.

Rhel-8.6.z and above are not affected, whereas RHEL-8.4.z and lower still uses affected versions.


Note You need to log in before you can comment on or make changes to this bug.