BugTraq
VMSA-2010-0014 VMware Workstation, Player, and ACE address several security issues Sep 24 2010 06:52AM
VMware Security team (security vmware com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------

VMware Security Advisory

Advisory ID: VMSA-2010-0014
Synopsis: VMware Workstation, Player, and ACE address several
security issues.
Issue date: 2010-09-23
Updated on: 2010-09-23 (initial release of advisory)
CVE numbers: CVE-2010-3277 CVE-2010-1205 CVE-2010-0205
CVE-2010-2249 CVE-2010-0434 CVE-2010-0425
- ------------------------------------------------------------------------

1. Summary

VMware Workstation and Player address a potential installer security
issue and security issues in libpng. VMware ACE Management Server
(AMS) for Windows updates Apache httpd.

2. Relevant releases

VMware Workstation 7.1.1 and earlier,
VMware Player 3.1.1 and earlier,
VMware ACE Management Server 2.7.1 and earlier,

Note: VMware Server was declared End Of Availability on January 2010,
support will be limited to Technical Guidance for the duration
of the support term.

3. Problem Description

a. VMware Workstation and Player installer security issue

The Workstation 7.x and Player 3.x installers will load an index.htm
file located in the current working directory on which Workstation
7.x or Player 3.x is being installed. This may allow an attacker to
display a malicious file if they manage to get their file onto the
system prior to installation.

The issue can only be exploited at the time that Workstation 7.x or
Player 3.x is being installed. Installed versions of Workstation and
Player are not affected. The security issue is no longer present in
the installer of the new versions of Workstation 7.x and Player 3.x
(see table below for the version numbers).

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-3277 to this issue.

VMware would like to thank Alexander Trofimov and Marc Esher for
independently reporting this issue to VMware.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

Workstation 7.x any 7.1.2 build 301548 or later *
Workstation 6.5.x any not affected

Player 3.x any 3.1.2 build 301548 or later *
Player 2.5.x any not affected

AMS any any not affected

Server any any not affected

Fusion any Mac OS/X not affected

ESXi any ESXi not affected

ESX any ESX not affected

* Note: This only affects the installer, if you have a version of
Workstation or Player installed you are not vulnerable.

b. Third party libpng updated to version 1.2.44

A buffer overflow condition in libpng is addressed that could
potentially lead to code execution with the privileges of the
application using libpng. Two potential denial of service issues
are also addressed in the update.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-1205, CVE-2010-0205, CVE-2010-2249
to these issues.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

Workstation 7.1.x any 7.1.2 build 301548 or later
Workstation 6.5.x any affected, patch pending

Player 3.1.x any 3.1.2 build 301548 or later
Player 2.5.x any affected, patch pending

AMS any any not affected

Server any any affected, no patch planned

Fusion any Mac OS/X not affected

ESXi any ESXi not affected

ESX any ESX not affected

c. VMware ACE Management Server (AMS) for Windows updates Apache httpd
version 2.2.15.

A function in Apache HTTP Server when multithreaded MPM is used
does not properly handle headers in subrequests in certain
circumstances which may allow remote attackers to obtain sensitive
information via a crafted request that triggers access to memory
locations associated with an earlier request.

The Apache mod_isapi module can be forced to unload a specific
library before the processing of a request is complete, resulting
in memory corruption. This vulnerability may allow a remote
attacker to execute arbitrary code.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-0434 and CVE-2010-0425 to the
issues addressed in this update.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

Workstation any any not affected

Player any any not affected

AMS any Windows 2.7.2 build 301548 or later
AMS any Linux affected, patch pending *

Server any any not affected

Fusion any Mac OS/X not affected

ESXi any ESXi not affected

ESX any ESX not affected

* Note CVE-2010-0425 is not applicable to AMS running on Linux

4. Solution
Please review the patch/release notes for your product and version
and verify the md5sum and/or the sha1sum of your downloaded file.

VMware Workstation 7.1.2
------------------------
http://www.vmware.com/download/ws/
Release notes:
http://downloads.vmware.com/support/ws71/doc/releasenotes_ws712.html

Workstation for Windows 32-bit and 64-bit with VMware Tools
md5sum: 2e9715ec297dc3ca904ad2707d3e2614
sha1sum: 55b2b99f67c3dacd402fb9880999086efd264e7a

Workstation for Windows 32-bit and 64-bit without VMware Tools
md5sum: 066929f59aef46f11f4d9fd6c6b36e4d
sha1sum: def776a28ee1a21b1ad26e836ae868551fff6fc3

VMware Player 3.1.2
-------------------
http://www.vmware.com/download/player/
Release notes:

http://downloads.vmware.com/support/player31/doc/releasenotes_player312.
html

VMware Player for Windows 32-bit and 64-bit
md5sum: 3f289cb33af5e425c92d8512fb22a7ba
sha1sum: bf67240c1f410ebeb8dcb4f6d7371334bf9a6b70

VMware Player for Linux 32-bit
md5sum: 11e3e3e8753e1d9abbbb92c4e3c1dfe8
sha1sum: dd1dbcdb1f4654eefc11472b68934dcb69842749

VMware Player for Linux 64-bit
md5sum: 2ab08e0d4050719845a64d334ca15bb1
sha1sum: f024ad84ec831fce8667dfa9601851da5d9fa59c

VMware ACE Management Server 2.7.2
----------------------------------
http://downloads.vmware.com/d/info/desktop_downloads/vmware_ace/2_7
Release notes:
http://downloads.vmware.com/support/ace27/doc/releasenotes_ace272.html

ACE Management Server for Windows
md5sum: 02f0072b8e48a98ed914b633f070d550
sha1sum: 94a68eac4a328d21a741879b9d063227c0dc1ce4

5. References

CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2249
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0434
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0425

- ------------------------------------------------------------------------

6. Change log

2010-09-23 VMSA-2010-0014
Initial security advisory after release of Workstation 7.1.2,
Player 3.1.2 and ACE Management Server 2.7.2 on 2010-09-23

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware Security Advisories
http://www.vmware.com/security/advisoiries

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)

iEYEARECAAYFAkycSrQACgkQS2KysvBH1xmT9wCfbBUS4GYrJohz+QMLYcoiFmSh
eTgAoIAmx+ilbe2myj02daLjFrVQfQII
=5jlh
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus