1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
https://bugs.gentoo.org/963579
https://github.com/vmware/open-vm-tools/tree/CVE-2025-41244.patch
From 7b6f212c40f13060f97a715e838137cbab2f47ad Mon Sep 17 00:00:00 2001
From: John Wolfe <john.wolfe@broadcom.com>
Date: Wed, 17 Sep 2025 21:51:54 -0700
Subject: [PATCH] [PATCH] SDMP: Service Discovery Plugin
Address CVE-2025-41244
- Disable (default) the execution of the SDMP get-versions.sh script.
With the Linux SDMP get-versions.sh script disabled, version information
of installed services will not be made available to VMware Aria.
All files being updated should be consider to have the copyright
updated to:
* Copyright (c) XXXX-2025 Broadcom. All Rights Reserved.
* The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
The 2025 Broadcom copyright information update is not part of this
patch set to allow the patch to be easily applied to previous
open-vm-tools source releases.
--- a/services/plugins/serviceDiscovery/serviceDiscovery.c
+++ b/services/plugins/serviceDiscovery/serviceDiscovery.c
@@ -122,6 +122,12 @@ static gchar* scriptInstallDir = NULL;
#define CONFNAME_SERVICEDISCOVERY_CACHEDATA "cache-data"
#define SERVICE_DISCOVERY_CONF_DEFAULT_CACHEDATA TRUE
+/*
+ * Defines the configuration to enable/disable version obtaining logic
+ */
+#define CONFNAME_SERVICEDISCOVERY_VERSION_CHECK "version-check-enabled"
+#define SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK FALSE
+
/*
* Define the configuration to require at least one subscriber subscribed for
* the gdp message.
@@ -1265,23 +1271,27 @@ ServiceDiscoveryServerShutdown(gpointer src,
*
* Construct final paths of the scripts that will be used for execution.
*
+ * @param[in] versionCheckEnabled TRUE to include the SERVICE_DISCOVERY_KEY_VERSIONS
+ * entry; FALSE to skip it (derived from config).
+ *
*****************************************************************************
*/
static void
-ConstructScriptPaths(void)
+ConstructScriptPaths(Bool versionCheckEnabled)
{
int i;
#if !defined(OPEN_VM_TOOLS)
gchar *toolsInstallDir;
#endif
+ int insertIndex = 0;
if (gFullPaths != NULL) {
return;
}
gFullPaths = g_array_sized_new(FALSE, TRUE, sizeof(KeyNameValue),
- ARRAYSIZE(gKeyScripts));
+ ARRAYSIZE(gKeyScripts) - (versionCheckEnabled ? 0u : 1u));
if (scriptInstallDir == NULL) {
#if defined(OPEN_VM_TOOLS)
scriptInstallDir = Util_SafeStrdup(VMTOOLS_SERVICE_DISCOVERY_SCRIPTS);
@@ -1293,6 +1303,15 @@ ConstructScriptPaths(void)
#endif
}
for (i = 0; i < ARRAYSIZE(gKeyScripts); ++i) {
+ /*
+ * Skip adding if:
+ * 1. Version check is disabled, AND
+ * 2. The keyName matches SERVICE_DISCOVERY_KEY_VERSIONS
+ */
+ if (!versionCheckEnabled &&
+ g_strcmp0(gKeyScripts[i].keyName, SERVICE_DISCOVERY_KEY_VERSIONS) == 0) {
+ continue;
+ }
KeyNameValue tmp;
tmp.keyName = g_strdup_printf("%s", gKeyScripts[i].keyName);
#if defined(_WIN32)
@@ -1300,7 +1319,8 @@ ConstructScriptPaths(void)
#else
tmp.val = g_strdup_printf("%s%s%s", scriptInstallDir, DIRSEPS, gKeyScripts[i].val);
#endif
- g_array_insert_val(gFullPaths, i, tmp);
+ g_array_insert_val(gFullPaths, insertIndex, tmp);
+ insertIndex++;
}
}
@@ -1366,14 +1386,20 @@ ToolsOnLoad(ToolsAppCtx *ctx)
}
};
gboolean disabled;
+ Bool versionCheckEnabled;
regData.regs = VMTools_WrapArray(regs,
sizeof *regs,
ARRAYSIZE(regs));
+ versionCheckEnabled = VMTools_ConfigGetBoolean(
+ ctx->config,
+ CONFGROUPNAME_SERVICEDISCOVERY,
+ CONFNAME_SERVICEDISCOVERY_VERSION_CHECK,
+ SERVICE_DISCOVERY_CONF_DEFAULT_VERSION_CHECK);
/*
* Append scripts execution command line
*/
- ConstructScriptPaths();
+ ConstructScriptPaths(versionCheckEnabled);
disabled =
VMTools_ConfigGetBoolean(ctx->config,
--
2.47.3
|
