VMware ESXi Command Injection Vulnerability

Security Boulevard | September 26, 2019

VMware is the market leader in cloud infrastructure software, with over 41% market share. The VMware ESXi solution is a bare metal hypervisor that installs directly onto your physical server and partitions it into multiple virtual machines. The FortiGuard Labs team recently discovered a command injection vulnerability in VMware ESXi. This vulnerability is identified as CVE-2017-16544. This command injection vulnerability is caused by the built-in BusyBox. A local attacker could create or upload a file with a crafted filename, allowing the attacker to execute arbitrary commands using the victim’s permission when the victim tries to access, modify, or delete this file from the terminal. The command injection vulnerability is caused by the add_match function in BusyBox. BusyBox doesn’t sanitize filenames, which can result in executing an escape sequence in the terminal.An attacker could create a PoC file with the vi editor using the following commands: “vi test’ [enter] some_commands_here [enter] ‘ [enter]”, then save the file.

Spotlight

Being fast and flexible is at the foundation of all digital and network transformation initiatives today. As businesses around the world, both big and small are rapidly digitising in a bid to develop operational resiliency, the need for robust networking practices has skyrocketed. This is where TTBS SD-WAN iFLX comes in. Watch the video for top features.


Other News

Dom Nicastro | April 03, 2020

Read More

Dom Nicastro | April 03, 2020

Read More

Dom Nicastro | April 03, 2020

Read More

Dom Nicastro | April 03, 2020

Read More

Spotlight

Being fast and flexible is at the foundation of all digital and network transformation initiatives today. As businesses around the world, both big and small are rapidly digitising in a bid to develop operational resiliency, the need for robust networking practices has skyrocketed. This is where TTBS SD-WAN iFLX comes in. Watch the video for top features.

Resources