VMSA-2010-0018 VMware hosted products and ESX patches resolve multiple security issues Dec 03 2010 07:00AM
VMware Security team (security vmware com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------

VMware Security Advisory

Advisory ID: VMSA-2010-0018
Synopsis: VMware hosted products and ESX patches resolve
multiple security issues
Issue date: 2010-12-02
Updated on: 2010-12-02 (initial release of advisory)
CVE numbers: CVE-2010-4295 CVE-2010-4296 CVE-2010-4297
CVE-2010-4294
- ------------------------------------------------------------------------

1. Summary

VMware hosted products and ESX patches resolve multiple security
issues.

2. Relevant releases

VMware Workstation 7.1.1 and earlier,
VMware Workstation 6.5.4 and earlier,
VMware Player 3.1.1 and earlier,
VMware Player 2.5.4 and earlier,

VMware Fusion 3.1.1 and earlier,

ESXi 4.1 without patch ESXi410-201010402-BG or later
ESXi 4.0 without patch ESXi400-201009402-BG or later
ESXi 3.5 without patch ESXe350-201008402-T-BG or later

ESX 4.1 without patch ESX410-201010405-BG
ESX 4.0 without patch ESX400-201009401-SG
ESX 3.5 without patch ESX350-201008409-BG

Note: VMware Server was declared End Of Availability on January 2010,
support will be limited to Technical Guidance for the duration
of the support term.

3. Problem Description

a. VMware Workstation, Player and Fusion vmware-mount race condition

The way temporary files are handled by the mounting process could
result in a race condition. This issue could allow a local user on
the host to elevate their privileges.

VMware Workstation and Player running on Microsoft Windows are not
affected.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-4295 to this issue.

VMware would like to thank Dan Rosenberg for reporting this issue.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

Workstation 7.x Linux 7.1.2 Build 301548 or later
Workstation 7.x Windows not affected
Workstation 6.5.x any not affected

Player 3.1.x Linux 3.1.2 Build 301548 or later
Player 3.1.x Windows not affected
Player 2.5.x any not affected

AMS any any not affected

Server 2.0.2 Linux affected, no patch planned
Server 2.0.2 Windows not affected

Fusion 3.1.x Mac OS/X 3.1.2 Build 332101 or later
Fusion 2.x Mac OS/X not affected

ESXi any ESXi not affected

ESX any ESX not affected

b. VMware Workstation, Player and Fusion vmware-mount privilege
escalation

vmware-mount which is a suid binary has a flaw in the way libraries
are loaded. This issue could allow local users on the host to
execute arbitrary shared object files with root privileges.

VMware Workstation and Player running on Microsoft Windows are not
affected.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-4296 to this issue.

VMware would like to thank Martin Carpenter for reporting this
issue.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

Workstation 7.x Linux 7.1.2 Build 301548 or later
Workstation 7.x Windows not affected
Workstation 6.5.x any not affected

Player 3.1.x Linux 3.1.2 Build 301548 or later
Player 3.1.x Windows not affected
Player 2.5.x any not affected

AMS any any not affected

Server 2.0.2 Linux affected, no patch planned
Server 2.0.2 Windows not affected

Fusion 3.1.x Mac OS/X 3.1.2 Build 332101
Fusion 2.x Mac OS/X not affected

ESXi any ESXi not affected

ESX any ESX not affected

c. OS Command Injection in VMware Tools update

A vulnerability in the input validation of VMware Tools update
allows for injection of commands. The issue could allow a user
on the host to execute commands on the guest operating system
with root privileges.

The issue can only be exploited if VMware Tools is not fully
up-to-date. Windows-based virtual machines are not affected.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-4297 to this issue.

VMware would like to thank Nahuel Grisolia of Bonsai Information
Security, http://www.bonsai-sec.com, for reporting this issue.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

Workstation 7.x any 7.1.2 Build 301548 or later
Workstation 6.5.x any 6.5.5 Build 328052 or later

Player 3.1.x any 3.1.2 Build 301548 or later
Player 2.5.x any 2.5.5 Build 328052 or later

AMS any any not affected

Server 2.0.2 any affected, no patch planned

Fusion 3.1.x Mac OS/X 3.1.2 Build 332101
Fusion 2.x Mac OS/X 2.0.8 Build 328035

ESXi 4.1 ESXi ESXi410-201010402-BG
ESXi 4.0 ESXi ESXi400-201009402-BG
ESXi 3.5 ESXi ESXe350-201008402-T-BG **

ESX 4.1 ESX ESX410-201010405-BG
ESX 4.0 ESX ESX400-201009401-SG
ESX 3.5 ESX ESX350-201008409-BG **
ESX 3.0.3 ESX not affected

* hosted products are VMware Workstation, Player, ACE, Fusion.
** Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only:
- Install the relevant ESX patch.
- Manually upgrade tools in the virtual machine (virtual machine
users will not be prompted to upgrade tools). Note the VI
Client may not show that the VMware tools is out of date in the
summary tab.

d. VMware VMnc Codec frame decompression remote code execution

The VMware movie decoder contains the VMnc media codec that is
required to play back movies recorded with VMware Workstation,
VMware Player and VMware ACE, in any compatible media player. The
movie decoder is installed as part of VMware Workstation, VMware
Player and VMware ACE, or can be downloaded as a stand alone
package.

A function in the decoder frame decompression routine implicitly
trusts a size value. An attacker can utilize this to miscalculate
a destination pointer, leading to the corruption of a heap buffer,
and could allow for execution of arbitrary code with the privileges
of the user running an application utilizing the vulnerable codec.

For an attack to be successful the user must be tricked into
visiting a malicious web page or opening a malicious video file on
a system that has the vulnerable version of the VMnc codec installed.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-4294 to this issue.

VMware would like to thank Aaron Portnoy and Logan Brown of
TippingPoint DVLabs for reporting this issue.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

Movie Decoder any Windows 7.1.2 Build 301548 or later
Movie Decoder any Windows 6.5.5 Build 328052 or later

Workstation 7.x Windows 7.1.2 Build 301548 or later
Workstation 7.x Linux not affected
Workstation 6.5.x Windows 6.5.5 build 328052 or later
Workstation 6.5.x Linux not affected

Player 3.x Windows 3.1.2 Build 301548 or later
Player 3.x Linux not affected
Player 2.5.x Windows 2.5.5 build 246459 or later
Player 2.5.x Linux not affected

AMS any any not affected

Server 2.x Window affected, no patch planned
Server 2.x Linux not affected

Fusion any Mac OS/X not affected

ESXi any ESXi not affected

ESX any ESX not affected

4. Solution
Please review the patch/release notes for your product and version
and verify the md5sum and/or the sha1sum of your downloaded file.

VMware Workstation Movie Decoder
--------------------------------
Workstation 7.1.2 Movie Decoder
md5sum: a4d761a21670c735d04abb89e674656e
sha1sum: b66673c30f3b8b8fb18035d08a6255f478be875d

Workstation 6.5.5 Movie Decoder build 328052
md5sum: 1223bb57d97df39259be2c6c90a65ba6
sha1sum: 3ae7cdeeeebf6a716ec73f934077545945474ff6

VMware Workstation 7.1.3
------------------------
http://www.vmware.com/download/ws/
Release notes:
http://downloads.vmware.com/support/ws71/doc/releasenotes_ws713.html

Workstation for Windows 32-bit and 64-bit with VMware Tools
md5sum: 7b9dc01bf733047a00711f5800df6107
sha1sum: 5f36117c64455f3dff3b7410a0bfc72e41905181

Workstation for Windows 32-bit and 64-bit without VMware Tools
md5sum: d102006f7a3951dd58325f5b4e151abe
sha1sum: ccfd70278d3c89b38776d656fa797ca8e9b28d55

Workstation 6.5.5
-----------------
http://www.vmware.com/download/ws/
Release notes:
http://downloads.vmware.com/support/ws65/doc/releasenotes_ws655.html

Workstation for Windows 32-bit and 64-bit
md5sum: 7bff9b621529efb0de808a45e7821274
sha1sum: 41af7a9a78717cb85dd30b4d830e99fd5de49cc1

Workstation for Linux 32-bit (rpm)
md5sum: 17c3f1a0e6ccf2b1e224a5d75c845a47
sha1sum: 3027b4e2215fae84fa9311f8cd762fee17e89df0

Workstation for Linux 32-bit (bundle)
md5sum: 7c24811fb999204f144d8b9f50e9fcae
sha1sum: 18a05e6f4f772b7f0563dbd17596b66d1db8e9fa

Workstation for Linux 64-bit (rpm)
md5sum: c25c2535d8091c4d46701ed081347901
sha1sum: f4356bc224ea9805dac2d4b677f88a2f4220353e

Workstation for Linux 64-bit (bundle)
md5sum: 7012bdaf182d256672ff2eb24b00a40f
sha1sum: 58ecb2a494d4c7cc663e2028cf76c13d458fecac

VMware Player 3.1.3
-------------------
http://www.vmware.com/download/player/
Release notes:

http://downloads.vmware.com/support/player31/doc/releasenotes_player313.
html

VMware Player for Windows 32-bit and 64-bit
md5sum: bd66a0ab8ae87d5cfa32b8ff44f99d1f
sha1sum: 8ab358efc97a64639cce83766c35d43b0d662132

VMware Player for Linux 32-bit (bundle)
md5sum: e5d0bf19a1908262f63a8f88df77f73e
sha1sum: 4abb87d37706c47a86337ada1d23d390455e4931

VMware Player for Linux 64-bit (bundle)
md5sum: 18e6aae025ee2ef9f10ce6d9271ce472
sha1sum: 6608bce64811be4480e667726aefefdc2b71e4e3

VMware Player 2.5.5
-------------------
VMware Player 2.5.5 for Windows 32-bit and 64-bit
md5sum: 780b2c4e2b1610dea3090b1cd81d5ad7
sha1sum: f6c451a11a4fe66e5a465de960de1358e83b8314

VMware Player 2.5.5 for Linux 32-bit (rpm)
md5sum: 9e13ee3904bd2377ffb8cfa66460fe92
sha1sum: 2482acad19f6b23cf0c236d1ce87d4805b7b0e6c

VMware Player 2.5.5 for Linux 32-bit (bundle)
MD5SUM: 46dcfe9343f688d60e249d9e9c3853a4
SHA1SUM: abfdeaf2cac83c630662607e7b95439367376abf

VMware Player 2.5.5 for Linux 64-bit (rpm)
MD5SUM: 52d6dcdeed9e564c8cfe8c35cec885f0
SHA1SUM: dbaa6dac55f592b9c6b16d7505796a2580836f4b

VMware Player 2.5.5 for Linux 64-bit (bundle)
md5sum: 6c9a677820010ccd20f829cb5d2c057b
sha1sum: ff6eccba3125229e8adbc1cb96764c2f116d89c5

VMware Fusion
-------------

VMware Fusion 3.1.2 build 332101
md5sum: a809170c9bd55a102c007c20269c4729
sha1sum: bf56e0f873d8e0d67fd73fba5e597e0931083e03

VMware Fusion Lite 3.1.2 build 332101
md5sum: d7db517cb25320152723f8535c90dd16
sha1sum: 555d9bd03327731270acfc851ba15b28ef3f6720

VMware Fusion 2.0.8 (for Intel-based Macs)
md5sum: 9951d3b7985c39c685d59eaa73fe267c
sha1sum: 11463924b5a7f82161090416905774da45e1cd3e

VMware Fusion Lite 2.0.8 (for Intel-based Macs)
md5sum: 0bee2ef0d0e9e543b2468ed9618e32c8
sha1sum: fa56bb7ea3493d07610051f92b9941305a436a2f

ESXi 4.1
--------
ESXi410-201010001
Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-251-20101108-
239087/ESXi410-201010001.zip
md5sum: 05f1049c7a595481cd682e92fe8d3285
sha1sum: f6993c185f7d1cb971a4ae6e017e0246b8c25a76
http://kb.vmware.com/kb/1027753

Note ESXi410-201010001 contains the following security fix:
ESXi410-201010402-BG

ESXi 4.0
--------
ESXi400-201009001
Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-241-20100919-
436526/ESXi400-201009001.zip
md5sum: bfc1b78f14d970c556b828492f5920e1
sha1sum: a311a4af41aa1202bb6b156694bbc045c67df91a
http://kb.vmware.com/kb/1025322

Note ESXi400-201009001 contains the following security fix:
ESXi400-201009402-BG

ESXi 3.5
--------
ESXe350-201008401-O-SG
http://download3.vmware.com/software/vi/ESXe350-201008401-O-SG.zip
md5sum:a2bb0afbc677ba847bedecb44dbdd4b3
http://kb.vmware.com/kb/1026139

Note ESXe350-201008401-O-SG contains the following security fix:
ESXe350-201008402-T-BG

ESX 4.1
-------
ESX410-201010001

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-252-20101109-
182791/ESX410-201010001.zip
md5sum: ff4435fd3c74764f064e047c6e5e7809
sha1sum:322981f4dbb9e5913c8f38684369444ff7e265b3
http://kb.vmware.com/kb/1027027

ESX410-201010001 contains the following security fix: ESX410-201010405-BG

ESX 4.0
-------
ESX400-201009001

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-240-20100919-
359479/ESX400-201009001.zip
md5sum: 988c593b7a7abf0be5b72970ac64a369
sha1sum: 26d875955b01c19f4e56703216e135257c08836f
http://kb.vmware.com/kb/1025321

ESX400-201009001 contains the following security fix: ESX400-201009401-SG

ESX 3.5
-------
ESX350-201008409-BG
http://download3.vmware.com/software/vi/ESX350-201008409-BG.zip
md5sum: f2c4a4a53695057de25f095029d713fb
http://kb.vmware.com/kb/1026133

5. References

CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4296
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4297
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4294

- ------------------------------------------------------------------------

6. Change log

2010-12-02 VMSA-2010-0018
Initial security advisory after release of Workstation 6.5.5,
Player 2.5.5, Fusion 2.0.8 and Fusion 3.1.2 on 2010-12-02, ESX patches
and Workstation 7.1.2 and 7.1.3 were released previously.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)

iEYEARECAAYFAkz4lXgACgkQS2KysvBH1xn0qgCeO9eTk2xMbdx3Ssr24lCYzlUC
jXoAnjxrD5t4JyuWQftQ9ciZSDpIeZzg
=TEE9
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus