Signature Detail

APP: VMware Authorization Service User Credential Parsing Denial of Service

A denial of service vulnerability has been reported in the authorization service of some VMware products. The flaw is due to a design error when processing login requests. An attacker can exploit this vulnerability by supplying malicious USER or PASS strings to the target host. Successful exploitation would result on the termination of the "vmware-authd" process causing a denial of service condition.

Extended Description

VMware Player and Workstation are prone to a remote denial-of-service vulnerability because the applications fail to perform adequate validation checks on user-supplied input. An attacker can exploit this issue to crash the 'vmware-authd' process, denying service to legitimate users. NOTE: This issue was also covered in BID 39345 (VMware Hosted Products VMSA-2010-0007 Multiple Remote and Local Vulnerabilities); this BID is being retained to properly document the issue.

Affected Products

• VMWare ACE 2.5.0 build 118166
• VMWare ACE 2.5.1
• VMWare ACE 2.5.2
• VMWare ACE 2.5.2 build 156735
• VMWare ACE 2.5.3 Build 185404
• VMWare ACE 2.6
• VMWare Player 2.5.0 Build 118166
• VMWare Player 2.5.1
• VMWare Player 2.5.2
• VMWare Player 2.5.2 Build 156735
• VMWare Player 2.5.3
• VMWare Player 2.5.3 Build 185404
• VMWare Player 2.5.4
• VMWare Player 3.0
• VMWare Workstation 6.5.0 Build 118166
• VMWare Workstation 6.5.1
• VMWare Workstation 6.5.2
• VMWare Workstation 6.5.2 Build 156735
• VMWare Workstation 6.5.3
• VMWare Workstation 6.5.3 Build 185404
• VMWare Workstation 7.0

References

• BugTraq: 36630