BugTraq
VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues Mar 18 2008 02:12AM
VMware Security team (security vmware com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
~ VMware Security Advisory

Advisory ID: VMSA-2008-0005
Synopsis: Updated VMware Workstation, VMware Player, VMware
~ Server, VMware ACE, and VMware Fusion resolve
~ critical security issues
Issue date: 2008-03-17
Updated on: 2008-03-17 (initial release of advisory)
CVE numbers: CVE-2008-0923 CVE-2008-0923 CVE-2008-1361
~ CVE-2008-1362 CVE-2007-5269 CVE-2006-2940
~ CVE-2006-2937 CVE-2006-4343 CVE-2006-4339
~ CVE-2007-5618 CVE-2008-1364 CVE-2008-1363
~ CVE-2008-1340
- -------------------------------------------------------------------

1. Summary:

~ Several critical security vulnerabilities have been addressed
~ in the newest releases of VMware's hosted product line.

2. Relevant releases:

~ VMware Workstation 6.0.2 and earlier
~ VMware Workstation 5.5.4 and earlier
~ VMware Player 2.0.2 and earlier
~ VMware Player 1.0.4 and earlier
~ VMware ACE 2.0.2 and earlier
~ VMware ACE 1.0.2 and earlier
~ VMware Server 1.0.4 and earlier
~ VMware Fusion 1.1 and earlier

3. Problem description:

~ a. Host to guest shared folder (HGFS) traversal vulnerability

~ On Windows hosts, if you have configured a VMware host to guest
~ shared folder (HGFS), it is possible for a program running in the
~ guest to gain access to the host's file system and create or modify
~ executable files in sensitive locations.

NOTE: VMware Server is not affected because it doesn't use host to
~ guest shared folders. No versions of ESX Server, including
~ ESX Server 3i, are affected by this vulnerability. Because
~ ESX Server is based on a bare-metal hypervisor architecture
~ and not a hosted architecture, and it doesn't include any
~ shared folder abilities. Fusion and Linux based hosted
~ products are unaffected.

~ VMware would like to thank CORE Security Technologies for
~ working with us on this issue. This addresses advisory
~ CORE-2007-0930.

~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ has assigned the name CVE-2008-0923 to this issue.

~ Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~ VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~ VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
~ VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
~ VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)

~ b. Insecure named pipes

~ An internal security audit determined that a malicious Windows
~ user could attain and exploit LocalSystem privileges by causing
~ the authd process to connect to a named pipe that is opened and
~ controlled by the malicious user.

~ The same internal security audit determined that a malicious
~ Windows user could exploit an insecurely created named pipe
~ object to escalate privileges or create a denial of service
~ attack. In this situation, the malicious user could
~ successfully impersonate authd and attain privileges under
~ which Authd is executing.

~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ has assigned the names CVE-2008-1361, CVE-2008-1362 to these
~ issues.

~ Windows Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~ VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~ VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
~ VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
~ VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
~ VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)

~ c. Updated libpng library to version 1.2.22 to address various
~ security vulnerabilities

~ Several flaws were discovered in the way libpng handled various PNG
~ image chunks. An attacker could create a carefully crafted PNG
~ image file in such a way that it could cause an application linked
~ with libpng to crash when the file was manipulated.

~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ has assigned the name CVE-2007-5269 to this issue.

~ Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~ VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~ VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
~ VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
~ VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
~ VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)

~ NOTE: Fusion is not affected by this issue.

~ d. Updated OpenSSL library to address various security vulnerabilities

~ Updated OpenSSL fixes several security flaws were discovered
~ in previous versions of OpenSSL.

~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ assigned the following names to these issues: CVE-2006-2940,
~ CVE-2006-2937, CVE-2006-4343, CVE-2006-4339.

~ Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~ VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~ VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
~ VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
~ VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
~ VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)

~ NOTE: Fusion is not affected by this issue.

~ e. VIX API default setting changed to a more secure default value

~ Workstation 6.0.2 allowed anonymous console access to the guest by
~ means of the VIX API. This release, Workstation 6.0.3, disables
~ this feature. This means that the Eclipse Integrated Virtual
~ Debugger and the Visual Studio Integrated Virtual Debugger will now
~ prompt for user account credentials to access a guest.

~ Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~ VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)

~ f. Windows 2000 based hosted products privilege escalation
~ vulnerability

~ This release addresses a potential privilege escalation on
~ Windows 2000 hosted products. Certain services may be improperly
~ registered and present a security vulnerability to Windows 2000
~ machines.

~ VMware would like to thank Ray Hicken for reporting this issue and
~ David Maciejak for originally pointing out these types of
~ vulnerabilities.

~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ assigned the name CVE-2007-5618 to this issue.

~ Windows versions of Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~ VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~ VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
~ VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
~ VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
~ VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)

~ NOTE: Fusion and Linux based products are not affected by this
~ issue.

~ g. DHCP denial of service vulnerability

~ A potential denial of service issue affects DHCP service running
~ on the host.

~ VMware would like to thank Martin O'Neal for reporting this issue.

~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ assigned the name CVE-2008-1364 to this issue.

~ Hosted products
~ ---------------
~ VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~ VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
~ VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
~ VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
~ VMware Fusion 1.1 upgrade to version 1.1.1 (Build# 72241)

~ NOTE: This issue doesn't affect the latest versions of VMware
~ Workstation 6, VMware Player 2, and ACE 2 products.

~ h. Local Privilege Escalation on Windows based platforms by
~ Hijacking VMware VMX configuration file

~ VMware uses a configuration file named "config.ini" which
~ is located in the application data directory of all users.
~ By manipulating this file, a user could gain elevated
~ privileges by hijacking the VMware VMX process.

~ VMware would like to thank Sun Bing for reporting the issue.

~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ assigned the name CVE-2008-1363 to this issue.

~ Windows based Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~ VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~ VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
~ VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
~ VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
~ VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)

~ i. Virtual Machine Communication Interface (VMCI) memory corruption
~ resulting in denial of service

~ VMCI was introduced in VMware Workstation 6.0, VMware Player 2.0,
~ and VMware ACE 2.0. It is an experimental, optional feature and
~ it may be possible to crash the host system by making specially
~ crafted calls to the VMCI interface. This may result in denial
~ of service via memory exhaustion and memory corruption.

~ VMware would like to thank Andrew Honig of the Department of
~ Defense for reporting this issue.

~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ assigned the name CVE-2008-1340 to this issue.

~ Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~ VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)

4. Solution:

Please review the Patch notes for your product and version and verify
the md5sum of your downloaded file.

~ VMware Workstation 6.0.3
~ ------------------------
~ http://www.vmware.com/download/ws/
~ Release notes:
~ http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
~ Windows binary
~ md5sum: 323f054957066fae07735160b73b91e5
~ RPM Installation file for 32-bit Linux
~ md5sum: c44183ad11082f05593359efd220944e
~ tar Installation file for 32-bit Linux
~ md5sum: 57601f238106cb12c1dea303ad1b4820
~ RPM Installation file for 64-bit Linux
~ md5sum: e9ba644be4e39556724fa2901c5e94e9
~ tar Installation file for 64-bit Linux
~ md5sum: d8d423a76f99a94f598077d41685e9a9

~ VMware Workstation 5.5.5
~ ------------------------
~ http://www.vmware.com/download/ws/ws5.html
~ Release notes:
~ http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html
~ Windows binary
~ md5sum: 9c2dd94db5eed93d7f64e8d6ba8d8bd3
~ Compressed Tar archive for 32-bit Linux
~ md5sum: 77401c0842a151f0b2db0b4fcb0d16eb
~ Linux RPM version for 32-bit Linux
~ md5sum: c222b6db934deb9c1bb79b16b25a3202

~ VMware Server 1.0.5
~ -------------------
~ http://www.vmware.com/download/server/
~ Release notes:
~ http://www.vmware.com/support/server/doc/releasenotes_server.html
~ VMware Server for Windows 32-bit and 64-bit
~ md5sum: 3c4a57310c55e17bf8e4a1059d5b36cc
~ VMware Server Windows client package
~ md5sum: cb3dd2439203dc510f4d95f06ba59d21
~ VMware Server for Linux
~ md5sum: 161dcbe5af9bbd9834a86bf7c599903e
~ VMware Server for Linux rpm
~ md5sum: fc3b81ed18b53eda943a992971e9f84a
~ Management Interface
~ md5sum: dd10d25895d9994bd27ca896152f48ef
~ VMware Server Linux client package
~ md5sum: aae18f1f7b8811b5499e3a358754d4f8

~ VMware ACE 2.0.3 and 1.0.5
~ --------------------------
~ http://www.vmware.com/download/ace/
~ Windows Release notes:
~ http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html

~ VMware Fusion 1.1.1
~ -------------------
~ http://www.vmware.com/download/fusion/
~ Release notes:
~ http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html
~ md5sum: 38e116ec26b30e7a6ac47c249ef650d0

~ VMware Player 2.0.3 and 1.0.6
~ ----------------------
~ http://www.vmware.com/download/player/
~ Release notes Player 1.x:
~ http://www.vmware.com/support/player/doc/releasenotes_player.html
~ Release notes Player 2.0
~ http://www.vmware.com/support/player2/doc/releasenotes_player2.html
~ 2.0.3 Windows binary
~ md5sum: 0c5009d3b569687ae139e13d24c868d3
~ VMware Player 2.0.3 for Linux (.rpm)
~ md5sum: 53502b2112a863356dcd13dd0d8dd8f2
~ VMware Player 2.0.3 for Linux (.tar)
~ md5sum: 2305fcff49bef6e4ad83742412eac978
~ VMware Player 2.0.3 - 64-bit (.rpm)
~ md5sum: cf945b571c4d96146ede010286fdfca5
~ VMware Player 2.0.3 - 64-bit (.tar)
~ md5sum: f99c5b293eb87c5f918ad24111565b9f
~ 1.0.6 Windows binary
~ md5sum: 895081406c4de5361a1700ec0473e49c
~ Player 1.0.6 for Linux (.rpm)
~ md5sum: 8adb23799dd2014be0b6d77243c76942
~ Player 1.0.6 for Linux (.tar)
~ md5sum: c358f8e1387fb60863077d6f8a9f7b3f

5. References:

~ CVE numbers
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0923
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1361
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1362
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5618
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1364
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1363
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1340

- -------------------------------------------------------------------
6. Contact:

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

~ * security-announce (at) lists.vmware (dot) com [email concealed]
~ * bugtraq (at) securityfocus (dot) com [email concealed]
~ * full-disclosure (at) lists.grok.org (dot) uk [email concealed]

E-mail: security (at) vmware (dot) com [email concealed]

Security web site
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFH3yTxS2KysvBH1xkRCHq8AJ0QOMocv/gSz/hgdojA39PGVO6pUACePCRv
Cv8MnL2bYPyDfYQ3f4IUL+w=
=tFXS
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus