漏洞类别:VMware
漏洞等级: 
漏洞信息
VMware vCenter is the centralized management tool for the vSphere suite. The target is missing Update 3b, which corrects the following security issue:
A local user on the host system can exploit an insecure library loading flaw in the LD_LIBRARY_PATH variable and cause the target user to load an arbitrary shared library to obtain elevated privileges on the host system [CVE-2017-4921].
The service startup script uses directories with world writable permissions for storing critical information in temporary files [CVE-2017-4922]. A local user on the host system can access critical information when the service is restarted.
A local user can exploit a flaw in the vCenter Server Appliance file-based backup feature to obtain plaintext credentials [CVE-2017-4923].
漏洞危害
A local user on the guest system can gain elevated privileges on the guest system.
A local user on the host system can gain elevated privileges on the host system.
A local user can obtain potentially sensitive information on the target system.
A local user can obtain passwords on the target system.
解决方案
VMware has issued a fix (vCenter Server 6.5 U1).
Upgrade vCenter Server Appliance to Build 5973321 or apply the latest VMware vCenter Server Appliance build.
Refer to VMSA-2017-0013 for further details.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论