VMware * address information disclosure, privilege escalation and other security issues.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2008-0014 Synopsis: Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. Issue date: 2008-08-29 Updated on: 2008-08-29 (initial release of advisory) CVE numbers: CVE-2008-2101 CVE-2007-5269 CVE-2008-1447 CVE-2008-3691 CVE-2008-3692 CVE-2008-3693 CVE-2008-3694 CVE-2008-3695 CVE-2007-5438 CVE-2008-3696 CVE-2008-3697 CVE-2008-3698 CVE-2008-1806 CVE-2008-1807 CVE-2008-1808 CVE-2007-5503 - ------------------------------------------------------------------------ -- 1. Summary Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. 2. Relevant releases VMware Workstation 6.0.4 and earlier, VMware Workstation 5.5.7 and earlier, VMware Player 2.0.4 and earlier, VMware Player 1.0.7 and earlier, VMware ACE 2.0.4 and earlier, VMware ACE 1.0.6 and earlier, VMware Server 1.0.6 and earlier, VMware ESX 3.0.3 without patches ESX303-200808404-SG, ESX303-200808403-SG ESX303-200808406-SG. VMware ESX 3.0.2 without patches ESX-1005109, ESX-1005113, ESX-1005114. VMware ESX 3.0.1 without patches ESX-1005108, ESX-1005112, ESX-1005111, ESX-1004823, ESX-1005117. NOTE: Hosted products VMware Workstation 5.x, VMware Player 1.x, and VMware ACE 1.x will reach end of general support 2008-11-09. Customers should plan to upgrade to the latest version of their respective products. Extended support (Security and Bug fixes) for ESX 3.0.2 ends on 10/29/2008 and Extended support for ESX 3.0.2 Update 1 ends on 8/8/2009. Users should plan to upgrade to ESX 3.0.3 and preferably to the newest release available. Extended Support (Security and Bug fixes) for ESX 3.0.1 has ended on 2008-07-31. The 3.0.1 patches are released in August because there was no patch release in July. 3. Problem Description I Security Issues a. Setting ActiveX killbit Starting from this release, VMware has set the killbit on its ActiveX controls. Setting the killbit ensures that ActiveX controls cannot run in Internet Explorer (IE), and avoids security issues involving ActiveX controls in IE. See the Microsoft KB article 240797 and the related references on this topic. Security vulnerabilities have been reported for ActiveX controls provided by VMware when run in IE. Under specific circumstances, exploitation of these ActiveX controls might result in denial-of- service or can allow running of arbitrary code when the user browses a malicious Web site or opens a malicious file in IE browser. An attempt to run unsafe ActiveX controls in IE might result in pop-up windows warning the user. Note: IE can be configured to run unsafe ActiveX controls without prompting. VMware recommends that you retain the default settings in IE, which prompts when unsafe actions are requested. Earlier, VMware had issued knowledge base articles, KB 5965318 and KB 9078920 on security issues with ActiveX controls. To avoid malicious scripts that exploit ActiveX controls, do not enable unsafe ActiveX objects in your browser settings. As a best practice, do not browse untrusted Web sites as an administrator and do not click OK or Yes if prompted by IE to allow certain actions. VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai, and Michal Bucko for reporting these issues to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2008-3691, CVE-2008-3692, CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and CVE-2008-3696 to the security issues with VMware ActiveX controls. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 6.x Windows 6.0.5 build 109488 or later Workstation 6.x Linux not affected Workstation 5.x Windows 5.5.8 build 108000 or later Workstation 5.x Linux not affected Player 2.x Windows 2.0.5 build 109488 or later Player 2.x Linux not affected Player 1.x Windows 1.0.8 build or later Player 1.x Linux not affected ACE 2.x Windows 2.0.5 build 109488 or later ACE 1.x Windows 1.0.7 build 108880 or later Server 1.x Windows 1.0.7 build 108231 or later Server 1.x Linux not affected Fusion 1.x Mac OS/X not affected ESXi 3.5 ESXi not affected ESX any ESX not affected b. VMware ISAPI Extension Denial of Service The Internet Server Application Programming Interface (ISAPI) is an API that extends the functionality of Internet Information Server (IIS). VMware uses ISAPI extensions in its Server product. One of the ISAPI extensions provided by VMware is vulnerable to a remote denial of service. By sending a malformed request, IIS might shut down. IIS 6.0 restarts automatically. However, IIS 5.0 does not restart automatically when its Startup Type is set to Manual. VMware would like to thank the Juniper Networks J-Security Security Research Team for reporting this issue to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3697 to this issue. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 6.x Windows not affected Workstation 6.x Linux not affected Workstation 5.x Windows not affected Workstation 5.x Linux not affected Player 2.x Windows not affected Player 2.x Linux not affected Player 1.x Windows not affected Player 1.x Linux not affected ACE 2.x Windows not affected ACE 1.x Windows not affected Server 1.x Windows 1.0.7 build 108231 or later Server 1.x Linux not affected Fusion 1.x Mac OS/X not affected ESXi 3.5 ESXi not affected ESX any ESX not affected c. OpenProcess Local Privilege Escalation on Host System This release fixes a privilege escalation vulnerability in host systems. Exploitation of this vulnerability allows users to run arbitrary code on the host system with elevated privileges. VMware would like to thank Sun Bing from McAfee, Inc. for reporting this issue to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3698 to this issue. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 6.x Windows not affected Workstation 6.x Linux not affected Workstation 5.x Windows 5.5.8 build 108000 or later Workstation 5.x Linux not affected Player 2.x Windows not affected Player 2.x Linux not affected Player 1.x Windows 1.0.8 build 109488 or later Player 1.x Linux not affected ACE 2.x Windows not affected ACE 1.x Windows 1.0.7 build 108880 or later Server 1.x Windows 1.0.7 build 108231 or later Server 1.x Linux not affected Fusion 1.x Mac OS/X not affected ESXi 3.5 ESXi not affected ESX any ESX not affected d. Update to Freetype FreeType 2.3.6 resolves an integer overflow vulnerability and other vulnerabilities that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted file. This release updates FreeType to 2.3.7. The Common Vulnerabilities and Exposures Project (cve.mitre.com) has assigned the names CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808 to the issues resolved in Freetype 2.3.6. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 6.x Windows not affected Workstation 6.x Linux 6.0.5 build 109488 or later Workstation 5.x Windows not affected Workstation 5.x Linux 5.5.8 build 108000 or later Player 2.x Windows not affected Player 2.x Linux 2.0.5 build 109488 or later Player 1.x Windows not affected Player 1.x Linux 1.0.8 build 108000 or later ACE 2.x Windows not affected ACE 1.x Windows not affected Server 1.x Windows not affected Server 1.x Linux 1.0.7 build 108231 or later Fusion 1.x Mac OS/X affected, patch pending ESXi 3.5 ESXi not affected ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 3.0.2 ESX not affected ESX 3.0.1 ESX not affected ESX 2.5.5 ESX affected, patch pending ESX 2.5.4 ESX affected, patch pending e. Update to Cairo Cairo 1.4.12 resolves an integer overflow vulnerability that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted PNG file. This release updates Cairo to 1.4.14. The Common Vulnerabilities and Exposures (cve.mitre.com) has assigned the name CVE-2007-5503 to this issue. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 6.x Windows not affected Workstation 6.x Linux 6.0.5 build 109488 or later Workstation 5.x Windows not affected Workstation 5.x Linux not affected Player 2.x Windows not affected Player 2.x Linux 2.0.5 build 109488 or later Player 1.x Windows not affected Player 1.x Linux not affected ACE 2.x Windows not affected ACE 1.x Windows not affected Server 1.x Windows not affected Server 1.x Linux not affected Fusion 1.x Mac OS/X affected, patch pending ESXi 3.5 ESXi not affected ESX any ESX not affected f. VMware Consolidated Backup(VCB) command-line utilities may expose sensitive information VMware Consolidated Backup command-line utilities accept the user password through the -p command-line option. Users logged into the service console could gain access to the username and password used by VCB command-line utilities when such commands are running. This patch resolves this issue by providing an alternative way of passing the password used by VCB command-line utilities. The following options are recommended for passing the password: 1. The password is specified in /etc/backuptools.conf (PASSWORD=xxxxx), and -p is not used in the command line. /etc/backuptools.conf file permissions are read/write only for root. 2. No password is specified in /etc/backuptools.conf and the -p option is not used in the command line. The user will be prompted to enter a password. ESX is not affected unless you use VCB. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2101 to this issue. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= =================== VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX ESX350-200806203-UG ESX 3.0.3 ESX ESX303-200808403-SG ESX 3.0.2 ESX ESX-1004824 ESX 3.0.1 ESX ESX-1004823 ESX 2.5.5 ESX not affected ESX 2.5.4 ESX not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion g. Third Party Library libpng Updated to 1.2.29 Several flaws were discovered in the way third party library libpng handled various PNG image chunks. An attacker could create a carefully crafted PNG image file in such a way that it causes an application linked with libpng to crash when the file is manipulated. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5269 to this issue. NOTE: There are multiple patches required to remediate the issue. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= =================== VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi affected, patch pending ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX ESX303-200808404-SG ESX303-200808403-SG ESX 3.0.2 ESX ESX-1005109 ESX-1005114 ESX-1005113 ESX 3.0.1 ESX ESX-1005112 ESX-1005108 ESX-1005111 ESX 2.5.5 ESX affected, patch pending ESX 2.5.4 ESX affected, patch pending * hosted products are VMware Workstation, Player, ACE, Server, Fusion II ESX Service Console rpm updates a. update to bind This update upgrades the service console rpms for bind-utils and bind-lib to version 9.2.4-22.el3. Version 9.2.4.-22.el3 addresses the recently discovered vulnerability in the BIND software used for Domain Name resolution (DNS). VMware doesn't install all the BIND packages on ESX Server and is not vulnerable by default to the reported vulnerability. Of the BIND packages, VMware only ships bind-util and bind-lib in the service console and these components by themselves cannot be used to setup a DNS server. Bind-lib and bind-util are used in client DNS applications like nsupdate, nslookup, etc. VMware explicitly discourages installing applications like BIND on the service console. In case the customer has installed BIND, and the DNS server is configured to support recursive queries, their ESX Server system is affected and they should replace BIND with a patched version. Note: ESX Server will use the DNS server on the network it is on, so it is important to patch that DNS server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-1447 to this issue. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= =================== VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX patch pending ESX 3.0.3 ESX ESX303-200808406-SG ESX 3.0.2 ESX ESX-1006356 ESX 3.0.1 ESX ESX-1005117 ESX 2.5.5 ESX patch pending ESX 2.5.4 ESX patch pending * hosted products are VMware Workstation, Player, ACE, Server, Fusion 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. VMware Workstation 6.0.5 ------------------------ http://www.vmware.com/download/ws/ Release notes: http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html Windows binary md5sum: 46b4c54f0493f59f52ac6c2965296859 RPM Installation file for 32-bit Linux md5sum: 49ebfbd05d146ecc43262622ab746f03 tar Installation file for 32-bit Linux md5sum: 14ac93bffeee72528629d4caecc5ef37 RPM Installation file for 64-bit Linux md5sum: 0a856f1a1a31ba3c4b08bcf85d97ccf6 tar Installation file for 64-bit Linux md5sum: 3b459254069d663e9873a661bc97cf6c VMware Workstation 5.5.8 ------------------------ http://www.vmware.com/download/ws/ws5.html Release notes: http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html Windows binary: md5sum: 745c3250e5254eaf6e65fcfc4172070f Compressed Tar archive for 32-bit Linux md5sum: 65a454749d15d4863401619d7ff5566e Linux RPM version for 32-bit Linux md5sum: d80adc73b1500bdb0cb24d1b0733bcff VMware Player 2.0.5 and 1.0.8 ----------------------------- http://www.vmware.com/download/player/ Release notes Player 1.x: http://www.vmware.com/support/player/doc/releasenotes_player.html Release notes Player 2.0 http://www.vmware.com/support/player2/doc/releasenotes_player2.html 2.0.5 Windows binary md5sum: 60265438047259b23ff82fdfe737f969 VMware Player 2.0.5 for Linux (.rpm) md5sum: 3bc81e203e947e6ca5b55b3f33443d34 VMware Player 2.0.5 for Linux (.tar) md5sum: f499603d790edc5aa355e45b9c5eae01 VMware Player 2.0.5 - 64-bit (.rpm) md5sum: 85bc2f11d06c362feeff1a64ee5a6834 VMware Player 2.0.5 - 64-bit (.tar) md5sum: b74460bb961e88817884c7e2c0f30215 1.0.8 Windows binary md5sum: e5f927304925297a7d869f74b7b9b053 Player 1.0.8 for Linux (.rpm) md5sum: a13fdb8d72b661cefd24e7dcf6e2a990 Player 1.0.8 for Linux (.tar) md5sum: 99fbe861253eec5308d8c47938e8ad1e VMware ACE 2.0.5 ---------------- http://www.vmware.com/download/ace/ Release notes 2.0: http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html ACE Manager Server Virtual Appliance Virtual Appliance for the ACE Management Server md5sum: 41e7349f3b6568dffa23055bb629208d ACE for Window 32-bit and 64-bit Main installation file for Windows 32-bit and 64-bit host (ACE Option Page key required for enabling ACE authoring) md5sum:46b4c54f0493f59f52ac6c2965296859 ACE Management Server for Windows ACE Management Server installation file for Windows md5sum:33a015c4b236329bcb7e12c82271c417 ACE Management Server for Red Hat Enterprise Linux 4 ACE Management Server installation file for Red Hat Enterprise Linux 4 md5sum:dc3bd89fd2285f41ed42f8b28cd5535f ACE Management Server for SUSE Enterprise Linux 9 ACE Management Server installation file for SUSE Enterprise Linux 9 md5sum:2add6a4fc97e1400fb2f94274ce0dce0 VMware ACE 1.0.7 ---------------- http://www.vmware.com/download/ace/ Release notes: http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html md5sum: 42d806cddb8e9f905722aeac19740f33 VMware Server 1.0.7 ------------------- http://www.vmware.com/download/server/ Release notes: http://www.vmware.com/support/server/doc/releasenotes_server.html VMware Server for Windows 32-bit and 64-bit md5sum: 2e2ee5ebe08ae48eac5e661cad01acf6 VMware Server Windows client package md5sum: ce7d906a5a8de37cbc20db4332de1adb VMware Server for Linux md5sum: 04f201122b16222cd58fc81ca814ff8c VMware Server for Linux rpm md5sum: 6bae706df040c35851823bc087597d8d Management Interface md5sum: e67489bd2f23bcd4a323d19df4e903e8 VMware Server Linux client package md5sum: 99f1107302111ffd3f766194a33d492b ESX --- ESX 3.5.0 patch ESX350-200806203-UG (VCB) http://download3.vmware.com/software/esx/ESX350-200806203-UG.zip md5sum: 3bd512dc8aa2b276f7cfd19080d193c9 http://kb.vmware.com/kb/1005896 ESX 3.0.3 patch ESX303-200808403-SG (libpng) http://download3.vmware.com/software/vi/ESX303-200808403-SG.zip md5sum: 5f1e75631e53c0e9e013acdbe657cfc7 http://kb.vmware.com/kb/1006034 ESX 3.0.3 patch ESX303-200808404-SG (libpng) http://download3.vmware.com/software/vi/ESX303-200808404-SG.zip md5sum: 65468a5b6ba105cfde1dd444d77b2df4 http://kb.vmware.com/kb/1006035 ESX 3.0.3 patch ESX303-200808406-SG (bind) http://download3.vmware.com/software/vi/ESX303-200808406-SG.zip md5sum: a11273e8d430e5784071caff673995f4 http://kb.vmware.com/kb/1006357 ESX 3.0.3 patch (VCB) ESX 3.0.2 patch ESX-1005109 (libpng) http://download3.vmware.com/software/vi/ESX-1005109.tgz md5sum: 456d74d94317f852024aed5d3852be09 http://kb.vmware.com/kb/1005109 ESX 3.0.2 patch ESX-1005113 (libpng) http://download3.vmware.com/software/vi/ESX-1005113.tgz md5sum: 5d604f2bfd90585b9c8679f5fc8c31b7 http://kb.vmware.com/kb/1005113 ESX 3.0.2 patch ESX-1005114 (libpng) http://download3.vmware.com/software/vi/ESX-1005114.tgz md5sum: 3b6d33b334f0020131580fdd8f9b5365 http://kb.vmware.com/kb/1005114 ESX 3.0.2 patch ESX-1004824 (VCB) http://download3.vmware.com/software/vi/ESX-1004824.tgz md5sum: c72b0132c9f5d7b4cb1b9e47748a9c5b http://kb.vmware.com/kb/1004824 ESX 3.0.2 patch ESX-1006356 (bind) http://download3.vmware.com/software/vi/ESX-1006356.tgz md5sum: f0bc9d0b641954145df3986cdb1c2bab http://kb.vmware.com/kb/1006356 ESX 3.0.1 patch ESX-1005111 (libpng) http://download3.vmware.com/software/vi/ESX-1005111.tgz md5sum: 60e1be9b41070b3531c06f9a0595e24c http://kb.vmware.com/kb/1005111 ESX 3.0.1 patch ESX-1005112 (libpng) http://download3.vmware.com/software/vi/ESX-1005112.tgz md5sum: ad645cef0f9fa18bb648ba5a37074732 http://kb.vmware.com/kb/1005112 ESX 3.0.1 patch ESX-1005108 (libpng) http://download3.vmware.com/software/vi/ESX-1005108.tgz md5sum: aabc873d978f023c929ccd9a54588ea5 http://kb.vmware.com/kb/1005108 ESX 3.0.1 patch ESX-1004823 (VCB) http://download3.vmware.com/software/vi/ESX-1004823.tgz md5sum: 5ff2e8ce50c18afca76fb16c28415a59 http://kb.vmware.com/kb/1004823 ESX 3.0.1 patch ESX-1005117 (bind) http://download3.vmware.com/software/vi/ESX-1005117.tgz md5sum: 5271ecc6e36fb6f1fdf372e57891aa33 http://kb.vmware.com/kb/1005117 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3693 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3694 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3695 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3696 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3697 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3698 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1806 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5503 - ------------------------------------------------------------------------ 6. Change log 2008-08-29 VMSA-2008-0014 initial release - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2008 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIuI98S2KysvBH1xkRCJp7AJ9Mq0+CEdoQRLzPLSRbv5OLqXqUHACfUSRt bZpHL8qHcNwAiTVz6P3+W6E= =PQ58 -----END PGP SIGNATURE-----

References:

http://www.securityfocus.com/bid/30937
http://www.securityfocus.com/archive/1/archive/1/495869/100/0/threaded
http://www.frsirt.com/english/advisories/2008/2466
http://secunia.com/advisories/31713
http://lists.grok.org.uk/pipermail/full-disclosure/2008-August/064118.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top