Re: VMWare GSX Server Authentication Server Buffer Overflow Vulnerability - Update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VMware has investigated the vulnerability posted to this list on October 31,
2003 by dswofford@xxxxxxxx under the subject, "VMWare GSX Server Authentication
Server Buffer Overflow Vulnerability - Update".
The original vulnerability report described how a connection to the VMware GSX
Server 2.0.1 Authentication Service could be manipulated to cause the service
to issue an error message warning of a buffer overflow.
VMware's findings are that the error message is incorrect and overly alarming -
a buffer out of space condition has occured rather than a more serious buffer
overflow. The error condition is not exploitable in the GSX Server 2.0.1
software. After generation of this error message as demonstrated by the
original poster, users will not be able to execute code with improperly
escalated privileges in GSX Server 2.0.1 or later.
The error condition reported also does not create a denial of service
vulnerability. The condition results only in termination of that user's
connection attempt, and not other connections to GSX Server.
This VMware Knowledge Base article restates the above:
http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1185
VMware has communicated with the original poster, and the original posting has
been retracted. VMware is posting this reply so that our response is icnluded
in archives of Bugtraq postings.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
iD8DBQE/uS+hLsZLrftG15MRAhacAKCQgqt2ZDpDAijvlsHqOXDzCkkEHQCeNcDc
y6RH/rJZ7VvIepJpm3J0zU0=
=4lef
-----END PGP SIGNATURE-----