IPS-1 Protection for VMWare DHCP Vulnerability (DHCP Version 7)

• EMC VMWare ACE 1 prior to 1.0.4
• EMC VMWare ACE 2 prior to 2.0.1
• EMC VMWare Player 1 prior to 1.0.5
• EMC VMWare Player 2 prior to 2.0.1
• EMC VMWare Server 1 Prior to 1.0.4
• EMC VMWare Workstation 6 prior to 6.0.1
• EMC VMWare Workstation 5 prior to 5.5.5

 

The DHCP service provided by the VMWare host machine is used to assign IP addresses to hosts on a Virtual network.  This service contains a vulnerability that is observed when processing UDP datagrams.  If a UDP datagram destined for the DHCP service contains a malformed/incomplete header, an erroneous payload size calculation triggers an integer underflow.  This results in an extremely large value for the payload size that can overrun an internal UDP payload destination buffer.

Successful exploitation of this vulnerability can result in arbitrary code execution on the host machine, and granted root (Unix workstations) or SYSTEM (Windows) privilege.

It is observed that although it is theoretically possible, under certain host routing constraints, to trigger the underflow from outside of the virtual host network, it is probable that code execution is not likely, due to additional data appended to the request.