[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] VMSA-2009-0015 VMware hosted products and ESX patches resolve two security issues



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2009-0015
Synopsis:          VMware hosted products and ESX patches resolve two
                   security issues
Issue date:        2009-10-27
Updated on:        2009-10-27 (initial release of advisory)
CVE numbers:       CVE-2009-2267 CVE-2009-3733
- ------------------------------------------------------------------------

1. Summary

   VMware hosted products and ESX patches resolve two security issues.

2. Relevant releases

   VMware Workstation 6.5.2 and earlier,
   VMware Player 2.5.2 and earlier,
   VMware ACE 2.5.2 and earlier,
   VMware Server 2.0.1 and earlier,
   VMware Server 1.0.9 and earlier,
   VMware Fusion 2.0.5 and earlier,

   VMware ESXi 4.0 without patch ESXi400-200909401-BG,

   VMware ESXi 3.5 without patches ESXe350-200910401-I-SG,
                                   ESXe350-200901401-I-SG,

   VMware ESX 4.0 without patch ESX400-200909401-BG,

   VMware ESX 3.5 without patches ESX350-200910401-SG
                                  ESX350-200901401-SG,

   VMware ESX 3.0.3 without patches ESX303-200910401-BG,
                                    ESX303-200812406-BG,

   VMware ESX 2.5.5 without Upgrade Patch 15.

   Extended support for ESX 2.5.5 ends on 2010-06-15.  Users should plan
   to upgrade to at least ESX 3.0.3 and preferably to the newest
   release available.

   Extended support for ESX 3.0.3 ends on 2011-12-10.  Users should plan
   to upgrade to at least ESX 3.5 and preferably to the newest release
   available.

3. Problem Description

 a. Mishandled exception on page faults

    An improper setting of the exception code on page faults may allow
    for local privilege escalation on the guest operating system. This
    vulnerability does not affect the host system.

    VMware would like to thank Tavis Ormandy and Julien Tinnes of the
    Google Security Team for reporting this issue to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2009-2267 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available. See above for remediation
    details.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Workstation    6.5.x     any      6.5.3 build 185404 or later
 
    Player         2.5.x     any      2.5.3 build 185404 or later
   
    ACE            2.5.x     any      2.5.3 build 185404 or later   
    
    Server         2.x       any      2.0.2 build 203138 or later
    Server         1.x       any      1.0.10 build 203137 or later

    Fusion         2.x       Mac OS/X 2.0.6 build 196839 or later

    ESXi           4.0       ESXi     ESXi400-200909401-BG
    ESXi           3.5       ESXi     ESXe350-200910401-I-SG

    ESX            4.0       ESX      ESX400-200909401-BG
    ESX            3.5       ESX      ESX350-200910401-SG
    ESX            3.0.3     ESX      ESX303-200910401-BG
    ESX            2.5.5     ESX      Upgrade Patch 15

 b. Directory Traversal vulnerability

    A directory traversal vulnerability allows for remote retrieval of
    any file from the host system. In order to send a malicious request,
    the attacker will need to have access to the network on which the
    host resides.

    VMware would like to thank Justin Morehouse and Jason Kratzer for
    independently reporting this issue to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2009-3733 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Workstation    any       any      not affected

    Player         any       any      not affected

    ACE            any       Windows  not affected

    Server         2.x       Windows  not affected
    Server         2.x       Linux    2.0.2 build 203138 or later
    Server         1.x       Windows  not affected
    Server         1.x       Linux    1.0.10 build 203137 or later

    Fusion         2.x       Mac OS/X not affected

    ESXi           4.0       ESXi     not affected
    ESXi           3.5       ESXi     ESXe350-200901401-I-SG  

    ESX            4.0       ESX      not affected
    ESX            3.5       ESX      ESX350-200901401-SG
    ESX            3.0.3     ESX      ESX303-200812406-BG
    ESX            2.5.5     ESX      not affected

    Note: On ESX these vulnerabilities can be exploited remotely only
          if the attacker has access to the Service Console network.

    Security best practices provided by VMware recommend that the
    Service Console be isolated from the VM network. Please see
    http://www.vmware.com/resources/techresources/726 for more
    information on VMware security best practices.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum and/or the sha1sum of your downloaded file.

   VMware Workstation 6.5.3
   ------------------------
   http://www.vmware.com/download/ws/
   Release notes:
   http://www.vmware.com/support/ws65/doc/releasenotes_ws653.html

   For Windows

   Workstation for Windows 32-bit and 64-bit
   Windows 32-bit and 64-bit .exe
   md5sum: 7565d16b7d7e0173b90c3b76ca4656bc
   sha1sum: 9f687afd8b0f39cde40aeceb3213a91be487aad1
 
   For Linux

   Workstation for Linux 32-bit
   Linux 32-bit .rpm
   md5sum: 4d55c491bd008ded0ea19f373d1d1fd4
   sha1sum: 1f43131c960e76a530390d3b6984c78dfc2da23e

   Workstation for Linux 32-bit
   Linux 32-bit .bundle
   md5sum: d4a721c1918c0e8a87c6fa4bad49ad35
   sha1sum: c0c6f9b56e70bd3ffdb5467ee176110e283a69e5

   Workstation for Linux 64-bit
   Linux 64-bit .rpm
   md5sum: 72adfdb03de4959f044fcb983412ae7c
   sha1sum: ba16163c8d9b5aa572526b34a7b63dc6e68f9bbb

   Workstation for Linux 64-bit
   Linux 64-bit .bundle
   md5sum: 83e1f0c94d6974286256c4d3b559e854
   sha1sum: 8763f250a3ac5fc4698bd26319b93fecb498d542


   VMware Player 2.5.3
   -------------------
   http://www.vmware.com/download/player/
   Release notes:
   http://www.vmware.com/support/player25/doc/releasenotes_player253.html

   Player for Windows binary
 
http://download3.vmware.com/software/vmplayer/VMware-player-2.5.3-185404.ex
e
   md5sum: fe28f193374c9457752ee16cd6cad4e7
   sha1sum: 13bd3ff93c04fa272544d3ef6de5ae746708af04

   Player for Linux (.rpm)
 
http://download3.vmware.com/software/vmplayer/VMware-Player-2.5.3-185404.i3
86.rpm
   md5sum: c99cd65f19fdfc7651bcb7f328b73bc2
   sha1sum: a33231b26e2358a72d16e1b4e2656a5873fe637e

   Player for Linux (.bundle)
 
http://download3.vmware.com/software/vmplayer/VMware-Player-2.5.3-185404.i3
86.bundle
   md5sum: 210f4cb5615bd3b2171bc054b9b2bac5
   sha1sum: 2f6497890b17b37480165bab9f430e8645edae9b

   Player for Linux - 64-bit (.rpm)
 
http://download3.vmware.com/software/vmplayer/VMware-Player-2.5.3-185404.x8
6_64.rpm
   md5sum: f91576ef90b322d83225117ae9335968
   sha1sum: f492fa9cf26ee2818f164aac04cde1680c25d974

   Player for Linux - 64-bit (.bundle)
 
http://download3.vmware.com/software/vmplayer/VMware-Player-2.5.3-185404.x8
6_64.bundle
   md5sum: 595d44d7945c129b1aeb679d2f001b05
   sha1sum: acd69fcb0c6bc49fd4af748c65c7fb730ab1e8c4


   VMware ACE 2.5.3
   ----------------
   http://www.vmware.com/download/ace/
   Release notes:
   http://www.vmware.com/support/ace25/doc/releasenotes_ace253.html

   ACE Management Server Virtual Appliance
   AMS Virtual Appliance .zip
   md5sum: 44cc7b86353047f02cf6ea0653e38418
   sha1sum: 9f44b15e6681a6e58dd20784f829c68091a62cd1

   VMware ACE for Windows 32-bit and 64-bit
   Windows 32-bit and 64-bit .exe
   md5sum: 0779da73408c5e649e0fd1c62d23820f
   sha1sum: 2b2e4963adc89f3b642874685f490222523b63ef

   ACE Management Server for Windows
   Windows .exe
   md5sum: 0779da73408c5e649e0fd1c62d23820f
   sha1sum: 2b2e4963adc89f3b642874685f490222523b63ef

   ACE Management Server for SUSE Enterprise Linux 9
   SLES 9 .rpm
   md5sum: a4fc92d7197f0d569361cdf4b8cca642
   sha1sum: af8a135cca398cacaa82c8c3c325011c6cd3ed75

   ACE Management Server for Red Hat Enterprise Linux 4
   RHEL 4 .rpm
   md5sum: 841005151338c8b954f08d035815fd58
   sha1sum: 67e48624dba20e6be9e41ec9a5aba407dd8cc01e


   VMware Server 2.0.2
   -------------------
   http://www.vmware.com/download/server/
   Release notes:
   http://www.vmware.com/support/server2/doc/releasenotes_vmserver202.html

   VMware Server 2
   Version 2.0.2 | 203138   - 10/26/09
   507 MB EXE image VMware Server 2 for Windows Operating Systems. A
   master installer file containing all Windows components of VMware
   Server.
   md5sum: a6430bcc16ff7b3a29bb8da1704fc38a
   sha1sum: 39683e7333732cf879ff0b34f66e693dde0e340b

   VIX API 1.6 for Windows
   Version 2.0.2 | 203138   - 10/26/09
   37 MB image
   md5sum: 827e65e70803ec65ade62dd27a74407a
   sha1sum: a14281bc055271a19be3c88026e92304bc3f0e22

   For Linux

   VMware Server 2 for Linux Operating Systems.
   Version 2.0.2 | 203138   - 10/26/09
   37 MB TAR image
   md5sum: 95ddea5a0579a35887bd15b083ffea20
   sha1sum: 14cf12063a7480f240ccd96178ad4258cb26a747

   VMware Server 2 for Linux Operating Systems 64-bit version.
   Version 2.0.2 | 203138   - 10/26/09
   452 MB RPM image
   md5sum: 35c8b176601133749e4055e0034f8be6
   sha1sum: e8dc842d89899df5cd3e1136af76f19ca5ccbece

   The core application needed to run VMware Server 2, 64-bit version.
   Version 2.0.2 | 203138   - 10/26/09
   451 MB TAR image
   md5sum: cc7aef813008eeb7150c21547d431b39
   sha1sum: b65d3d46dc947fc7995bda354c4947afabd23474
 
   VMware Server 1.0.10
   --------------------
   http://www.vmware.com/download/server/
   Release notes:
   http://www.vmware.com/support/server/doc/releasenotes_server.html

   VMware Server for Windows 32-bit and 64-bit
 
http://download3.vmware.com/software/vmserver/VMware-server-installer-1.0.1
0-203137.exe
   md5sum: 867abd4843f88908ba2dbaf4547a1190
   sha1sum: 780e61ac190dd2b6524c8c7792564b7548c4d5a1

   VMware Server Windows client package
 
http://download3.vmware.com/software/vmserver/VMware-server-win32-client-1.
0.10-203137.zip
   md5sum: f7a4eb7f48e42b9040a73721e6d61b7f
   sha1sum: 3a209d0fc86dbc69881614fdeb084e9c7d343f5a

   VMware Server for Linux
 
http://download3.vmware.com/software/vmserver/VMware-server-1.0.10-203137.t
ar.gz
   md5sum: eb127d30dbd5f7f08e5d129d68cb0d21
   sha1sum: f21ed65a500b2176166d90ed2821892ce1cb1fd5

   VMware Server for Linux rpm
 
http://download3.vmware.com/software/vmserver/VMware-server-1.0.10-203137.i
386.rpm
   md5sum: fd4416bcc1c53d83b493b9d941a4701c
   sha1sum: aba35050f23cfbe027e004547559e78a38bcb6a1

   Management Interface
 
http://download3.vmware.com/software/vmserver/VMware-mui-1.0.10-203137.tar.
gz
   md5sum: 0f01e9bdeee3fa2aa84f87f66b69dc83
   sha1sum: 3b6a5b222cece1de97e9513717e25178e79707e6

   VMware Server Linux client package
 
http://download3.vmware.com/software/vmserver/VMware-server-linux-client-1.
0.10-203137.zip
   md5sum: 542c5aa052c9a197c4f5eeca6c3d88cc
   sha1sum: 3f92c98153f5d9dcbbcd0cd524683a6832aaa10e


   VMware Fusion 2.0.6
   -------------------
   VMware Fusion 2.0.6 (for Intel-based Macs): Download including
   VMware Fusion and a 12 month complimentary subscription to McAfee
   VirusScan Plus 2009
   md5sum: d35490aa8caa92e21339c95c77314b2f
   sha1sum: 9c41985d754ac718032a47af8a3f98ea28fddb26

   VMware Fusion 2.0.6 (for Intel-based Macs): Download including only
   VMware Fusion software
   md5sum: 2e8d39defdffed224c4bab4218cc6659
   sha1sum: 453d54a2f37b257a0aad17c95843305250c7b6ef

   Release notes
   www.vmware.com/support/fusion2/doc/releasenotes_fusion_206.html


   ESXi
   ----
   ESXi 4.0 patch ESXi400-200909401-BG (Privilege Escalation)
 
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-149-20090917-785
671/ESXi400-200909001.zip
   md5sum: 8e095684c54df259eaf5705f5bfc1463
   sha1sum: 8f3174c119ba27269c5bb9b0767fc72778438ade
   http://kb.vmware.com/kb/1014026

   ESXi 3.5 patch ESXe350-200910401-I-SG (Privilege Escalation)
   http://download3.vmware.com/software/vi/ESXe350-200910401-O-SG.zip
   md5sum: 947874a28a7f85caffc884c6ff3a0a60
   http://kb.vmware.com/kb/1014761

   ESXi 3.5 patch ESXe350-200901401-I-SG (Directory Traversal)
   http://download3.vmware.com/software/vi/ESXe350-200901401-O-SG.zip
   md5sum: 588dc7bfdee4e4c5ac626906c37fc784                         
   http://kb.vmware.com/kb/1006661

   NOTES: The three ESXi patches for Firmware "I", VMware Tools "T,"
          and the VI Client "C" are contained in a single offline "O"
          download file.


   ESX
   ---
   ESX 4.0 patch ESX400-200909401-BG (Privilege Escalation)
 
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-150-20090917-796
862/ESX400-200909001.zip
   md5sum: b1487ab823746a83b897caa9d9329f48
   sha1sum: f426a11ec6420d9bd2f45f6ca30773a839cb3a65
   http://kb.vmware.com/kb/1014019

   Note: ESX400-200909001 contains the bundle with the security fix,
         ESX400-200909401-BG
   To install an individual bulletin use esxupdate with the -b option.
   esxupdate --bundle ESX400-200909001 -b ESX400-200909401-BG

   ESX 3.5 patch ESX350-200910401-SG (Privilege Escalation)
   http://download3.vmware.com/software/vi/ESX350-200910401-SG.zip
   md5sum: 73435b0495a61b00bedbead140b2a262
   sha1sum: a957d57cf0df58d8a40759dce62efbf12a6c229c
   http://kb.vmware.com/kb/1013124

   ESX 3.5 patch ESX350-200901401-SG (Directory Traversal)
   http://download3.vmware.com/software/vi/ESX350-200901401-SG.zip
   md5sum: 2769ac30078656b01ca1e2fdfa3230e9                      
   http://kb.vmware.com/kb/1006651

   ESX 3.0.3 patch ESX303-200910401-BG (Privilege Escalation)
   http://download3.vmware.com/software/vi/ESX303-200910401-BG.zip
   md5sum: c7c8f76a2a704c1818eeb54500c28d1c
   http://kb.vmware.com/kb/1014759

   ESX 3.0.3 patch ESX303-200812406-BG (Directory Traversal)
   http://download3.vmware.com/software/vi/ESX303-200812406-BG.zip
   md5sum: 94ff158e94dd7a0e5b1e5e7aade7a523
   http://kb.vmware.com/kb/1007215

   ESX 2.5.5 Upgrade Patch 15 (Privilege Escalation)
   http://download3.vmware.com/software/esx/esx-2.5.5-191611-upgrade.tar.gz
   md5sum: c346fe510b6e51145570e03083f77357
   sha1sum: ef6b19247825fb3fe2c55f8fda3cdd05ac7bb1f4
   http://www.vmware.com/support/esx25/doc/esx-255-200910-patch.html


5. References
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2267
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3733
 
 
6. Change log

2009-10-27  VMSA-2009-0015
Initial security advisory after release of Server 1.0.10, Server 2.0.2
and Upgrade Patch 15 for ESX 2.5.5 on 2009-10-27. The versions of
Workstation, Player, ACE, Fusion, and patches for ESXi 4.0, ESXi 3.5,
ESX 4.0, ESX 3.5, ESX 3.0.3 mentioned above have already been released.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2009 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFK50xMS2KysvBH1xkRAtDQAJ4j8i4FSanVEdj2zXOKGhz+jCN9ogCeJTow
ByoB8aJdMwQ3mswOBWDjR5k=
=0Ncp
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/