Knowledge Base
Search the Knowledge Base: |
Search the Knowledge Base: |
VMware Security Advisory VMSA-2006-0002: VMware Server Sensitive Information Lifetime Issue
Details
What is VMSA-2006-0002 VMware Server sensitive information lifetime issue?
Solution
| VMware Security Advisory | |
|---|---|
| Advisory ID: | VMSA-2006-0002 |
| Synopsis: | VMware Server sensitive information lifetime issue |
| Advisory URL: | http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=2124 |
| Issue date: | 2006-06-01 |
| Updated on: | 2006-06-01 |
| CVE Identifier: | CVE-2006-2662 |
Summary
VMware Server doesn't limit the lifetime of sensitive data.
VMware has rated the severity of this issue as a Priority 3 issue according to VMware's Security Response Policy.
Relevant Release
VMware Server prior to RC1.
Problem Description
When a console connection is made using VMware Server, user credentials are kept in memory.
In order for the attacker to obtain information, he must have local access to the system and read access to the memory, or access to memory crash information.
This is only a danger if the attacker already has privileged access to your system.
The Common Vulnerabilities and Exposures (CVE) project has assigned the unique identifier CVE-2006-2662 to this issue.
Solution
Upgrade to the latest version of VMware Server. Download the packages at www.vmware.com/download/server/.
References
References specific to this security advisory include:
- The VMware Server product page at www.vmware.com/products/server/.
- Understanding Data Lifetime via Whole System Simulation at www.stanford.edu/~blp/papers/taint.pdf
Also see the VMware Security Response Policy at www.vmware.com/support/policies/security_response.html.
Acknowledgments
VMware would like to thank Bart Vanautgaerden for reporting this issue.
Contact
Refer to www.vmware.com/security.
Keywords
- KB Article: 2124
- Updated: Aug 14, 2009
- Products:
VMware Server