[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031117203251.28290.qmail@sf-www2-symnsj.securityfocus.com>
Date: 17 Nov 2003 20:32:51 -0000
From: VMware <vmware-security-alert@...are.com>
To: bugtraq@...urityfocus.com
Subject: Re: VMWare GSX Server Authentication Server Buffer Overflow
Vulnerability - Update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VMware has investigated the vulnerability posted to this list on October 31, 2003 by dswofford@...g.com under the subject, "VMWare GSX Server Authentication Server Buffer Overflow Vulnerability - Update".
The original vulnerability report described how a connection to the VMware GSX Server 2.0.1 Authentication Service could be manipulated to cause the service to issue an error message warning of a buffer overflow.
VMware's findings are that the error message is incorrect and overly alarming - a buffer out of space condition has occured rather than a more serious buffer overflow. The error condition is not exploitable in the GSX Server 2.0.1 software. After generation of this error message as demonstrated by the original poster, users will not be able to execute code with improperly escalated privileges in GSX Server 2.0.1 or later.
The error condition reported also does not create a denial of service vulnerability. The condition results only in termination of that user's connection attempt, and not other connections to GSX Server.
This VMware Knowledge Base article restates the above:
http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1185
VMware has communicated with the original poster, and the original posting has been retracted. VMware is posting this reply so that our response is icnluded in archives of Bugtraq postings.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
iD8DBQE/uS+hLsZLrftG15MRAhacAKCQgqt2ZDpDAijvlsHqOXDzCkkEHQCeNcDc
y6RH/rJZ7VvIepJpm3J0zU0=
=4lef
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists