Home page logo
/

bugtraq logo Bugtraq mailing list archives

VMSA-2010-0018 VMware hosted products and ESX patches resolve multiple security issues
From: VMware Security team <security () vmware com>
Date: Thu, 02 Dec 2010 23:00:11 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2010-0018
Synopsis:          VMware hosted products and ESX patches resolve
                   multiple security issues
Issue date:        2010-12-02
Updated on:        2010-12-02 (initial release of advisory)
CVE numbers:       CVE-2010-4295 CVE-2010-4296 CVE-2010-4297
                   CVE-2010-4294
- ------------------------------------------------------------------------

1. Summary

   VMware hosted products and ESX patches resolve multiple security
   issues.

2. Relevant releases

   VMware Workstation 7.1.1 and earlier,
   VMware Workstation 6.5.4 and earlier,
   VMware Player 3.1.1 and earlier,
   VMware Player 2.5.4 and earlier,

   VMware Fusion 3.1.1 and earlier,

   ESXi 4.1 without patch ESXi410-201010402-BG or later
   ESXi 4.0 without patch ESXi400-201009402-BG or later
   ESXi 3.5 without patch ESXe350-201008402-T-BG or later

   ESX 4.1 without patch ESX410-201010405-BG
   ESX 4.0 without patch ESX400-201009401-SG
   ESX 3.5 without patch ESX350-201008409-BG

   Note: VMware Server was declared End Of Availability on January 2010,
         support will be limited to Technical Guidance for the duration
         of the support term.

3. Problem Description

 a. VMware Workstation, Player and Fusion vmware-mount race condition

    The way temporary files are handled by the mounting process could
    result in a race condition. This issue could allow a local user on
    the host to elevate their privileges.

    VMware Workstation and Player running on Microsoft Windows are not
    affected.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-4295 to this issue.

    VMware would like to thank Dan Rosenberg for reporting this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Workstation    7.x       Linux    7.1.2 Build 301548 or later
    Workstation    7.x       Windows  not affected
    Workstation    6.5.x     any      not affected

    Player         3.1.x     Linux    3.1.2 Build 301548 or later
    Player         3.1.x     Windows  not affected
    Player         2.5.x     any      not affected

    AMS            any       any      not affected

    Server         2.0.2     Linux    affected, no patch planned
    Server         2.0.2     Windows  not affected

    Fusion         3.1.x     Mac OS/X 3.1.2 Build 332101 or later
    Fusion         2.x       Mac OS/X not affected

    ESXi           any       ESXi     not affected

    ESX            any       ESX      not affected


 b. VMware Workstation, Player and Fusion vmware-mount privilege
    escalation

    vmware-mount which is a suid binary has a flaw in the way libraries
    are loaded.  This issue could allow local users on the host to
    execute arbitrary shared object files with root privileges.

    VMware Workstation and Player running on Microsoft Windows are not
    affected.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-4296 to this issue.

    VMware would like to thank Martin Carpenter for reporting this
    issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Workstation    7.x       Linux    7.1.2 Build 301548 or later
    Workstation    7.x       Windows  not affected
    Workstation    6.5.x     any      not affected

    Player         3.1.x     Linux    3.1.2 Build 301548 or later
    Player         3.1.x     Windows  not affected
    Player         2.5.x     any      not affected

    AMS            any       any      not affected

    Server         2.0.2     Linux    affected, no patch planned
    Server         2.0.2     Windows  not affected

    Fusion         3.1.x     Mac OS/X 3.1.2 Build 332101
    Fusion         2.x       Mac OS/X not affected

    ESXi           any       ESXi     not affected

    ESX            any       ESX      not affected


 c. OS Command Injection in VMware Tools update

    A vulnerability in the input validation of VMware Tools update
    allows for injection of commands. The issue could allow a  user
    on the host to execute commands on the guest operating system
    with root privileges.

    The issue can only be exploited if VMware Tools is not fully
    up-to-date.  Windows-based virtual machines are not affected.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-4297 to this issue.

    VMware would like to thank Nahuel Grisolia of Bonsai Information
    Security, http://www.bonsai-sec.com, for reporting this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Workstation    7.x       any      7.1.2 Build 301548 or later
    Workstation    6.5.x     any      6.5.5 Build 328052 or later

    Player         3.1.x     any      3.1.2 Build 301548 or later
    Player         2.5.x     any      2.5.5 Build 328052 or later

    AMS            any       any      not affected

    Server         2.0.2     any      affected, no patch planned

    Fusion         3.1.x     Mac OS/X 3.1.2 Build 332101
    Fusion         2.x       Mac OS/X 2.0.8 Build 328035

    ESXi           4.1       ESXi     ESXi410-201010402-BG
    ESXi           4.0       ESXi     ESXi400-201009402-BG
    ESXi           3.5       ESXi     ESXe350-201008402-T-BG **

    ESX            4.1       ESX      ESX410-201010405-BG
    ESX            4.0       ESX      ESX400-201009401-SG
    ESX            3.5       ESX      ESX350-201008409-BG **
    ESX            3.0.3     ESX      not affected

  * hosted products are VMware Workstation, Player, ACE, Fusion.
  ** Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only:
     - Install the relevant ESX patch.
     - Manually upgrade tools in the virtual machine (virtual machine
       users will not be prompted to upgrade tools).  Note the VI
       Client may not show that the VMware tools is out of date in the
       summary tab.

 d. VMware VMnc Codec frame decompression remote code execution

    The VMware movie decoder contains the VMnc media codec that is
    required to play back movies recorded with VMware Workstation,
    VMware Player and VMware ACE, in any compatible media player. The
    movie decoder is installed as part of VMware Workstation, VMware
    Player and VMware ACE, or can be downloaded as a stand alone
    package.

    A function in the decoder frame decompression routine implicitly
    trusts a size value.  An attacker can utilize this to miscalculate
    a destination pointer, leading to the corruption of a heap buffer,
    and could allow for execution of arbitrary code with the privileges
    of the user running an application utilizing the vulnerable codec.

    For an attack to be successful the user must be tricked into
    visiting a malicious web page or opening a malicious video file on
    a system that has the vulnerable version of the VMnc codec installed.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-4294 to this issue.

    VMware would like to thank Aaron Portnoy and Logan Brown of
    TippingPoint DVLabs for reporting this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Movie Decoder  any       Windows  7.1.2 Build 301548 or later
    Movie Decoder  any       Windows  6.5.5 Build 328052 or later

    Workstation    7.x       Windows  7.1.2 Build 301548 or later
    Workstation    7.x       Linux    not affected
    Workstation    6.5.x     Windows  6.5.5 build 328052 or later
    Workstation    6.5.x     Linux    not affected

    Player         3.x       Windows  3.1.2 Build 301548 or later
    Player         3.x       Linux    not affected
    Player         2.5.x     Windows  2.5.5 build 246459 or later
    Player         2.5.x     Linux    not affected

    AMS            any       any      not affected

    Server         2.x       Window   affected, no patch planned
    Server         2.x       Linux    not affected

    Fusion         any       Mac OS/X not affected

    ESXi           any       ESXi     not affected

    ESX            any       ESX      not affected

4. Solution
   Please review the patch/release notes for your product and version
   and verify the md5sum and/or the sha1sum of your downloaded file.

   VMware Workstation Movie Decoder
   --------------------------------
   Workstation 7.1.2 Movie Decoder
   md5sum: a4d761a21670c735d04abb89e674656e
   sha1sum: b66673c30f3b8b8fb18035d08a6255f478be875d

   Workstation 6.5.5 Movie Decoder build 328052
   md5sum: 1223bb57d97df39259be2c6c90a65ba6
   sha1sum: 3ae7cdeeeebf6a716ec73f934077545945474ff6


   VMware Workstation 7.1.3
   ------------------------
   http://www.vmware.com/download/ws/
   Release notes:
   http://downloads.vmware.com/support/ws71/doc/releasenotes_ws713.html

   Workstation for Windows 32-bit and 64-bit with VMware Tools
   md5sum: 7b9dc01bf733047a00711f5800df6107
   sha1sum: 5f36117c64455f3dff3b7410a0bfc72e41905181

   Workstation for Windows 32-bit and 64-bit without VMware Tools
   md5sum: d102006f7a3951dd58325f5b4e151abe
   sha1sum: ccfd70278d3c89b38776d656fa797ca8e9b28d55

   Workstation 6.5.5
   -----------------
   http://www.vmware.com/download/ws/
   Release notes:
   http://downloads.vmware.com/support/ws65/doc/releasenotes_ws655.html

   Workstation for Windows 32-bit and 64-bit
   md5sum: 7bff9b621529efb0de808a45e7821274
   sha1sum: 41af7a9a78717cb85dd30b4d830e99fd5de49cc1

   Workstation for Linux 32-bit (rpm)
   md5sum: 17c3f1a0e6ccf2b1e224a5d75c845a47
   sha1sum: 3027b4e2215fae84fa9311f8cd762fee17e89df0

   Workstation for Linux 32-bit (bundle)
   md5sum: 7c24811fb999204f144d8b9f50e9fcae
   sha1sum: 18a05e6f4f772b7f0563dbd17596b66d1db8e9fa

   Workstation for Linux 64-bit (rpm)
   md5sum: c25c2535d8091c4d46701ed081347901
   sha1sum: f4356bc224ea9805dac2d4b677f88a2f4220353e

   Workstation for Linux 64-bit (bundle)
   md5sum: 7012bdaf182d256672ff2eb24b00a40f
   sha1sum: 58ecb2a494d4c7cc663e2028cf76c13d458fecac

   VMware Player 3.1.3
   -------------------
   http://www.vmware.com/download/player/
   Release notes:

http://downloads.vmware.com/support/player31/doc/releasenotes_player313.html

   VMware Player for Windows 32-bit and 64-bit  
   md5sum: bd66a0ab8ae87d5cfa32b8ff44f99d1f
   sha1sum: 8ab358efc97a64639cce83766c35d43b0d662132

   VMware Player for Linux 32-bit (bundle)
   md5sum: e5d0bf19a1908262f63a8f88df77f73e
   sha1sum: 4abb87d37706c47a86337ada1d23d390455e4931

   VMware Player for Linux 64-bit (bundle)
   md5sum: 18e6aae025ee2ef9f10ce6d9271ce472
   sha1sum: 6608bce64811be4480e667726aefefdc2b71e4e3

   VMware Player 2.5.5
   -------------------
   VMware Player 2.5.5 for Windows 32-bit and 64-bit
   md5sum: 780b2c4e2b1610dea3090b1cd81d5ad7
   sha1sum: f6c451a11a4fe66e5a465de960de1358e83b8314

   VMware Player 2.5.5 for Linux 32-bit (rpm)
   md5sum: 9e13ee3904bd2377ffb8cfa66460fe92
   sha1sum: 2482acad19f6b23cf0c236d1ce87d4805b7b0e6c    

   VMware Player 2.5.5 for Linux 32-bit (bundle)
   MD5SUM: 46dcfe9343f688d60e249d9e9c3853a4
   SHA1SUM: abfdeaf2cac83c630662607e7b95439367376abf    

   VMware Player 2.5.5 for Linux 64-bit (rpm)
   MD5SUM: 52d6dcdeed9e564c8cfe8c35cec885f0
   SHA1SUM: dbaa6dac55f592b9c6b16d7505796a2580836f4b    

   VMware Player 2.5.5 for Linux 64-bit (bundle)
   md5sum: 6c9a677820010ccd20f829cb5d2c057b
   sha1sum: ff6eccba3125229e8adbc1cb96764c2f116d89c5    

   VMware Fusion
   -------------

   VMware Fusion 3.1.2 build 332101
   md5sum: a809170c9bd55a102c007c20269c4729
   sha1sum: bf56e0f873d8e0d67fd73fba5e597e0931083e03    

   VMware Fusion Lite 3.1.2 build 332101
   md5sum: d7db517cb25320152723f8535c90dd16
   sha1sum: 555d9bd03327731270acfc851ba15b28ef3f6720

   VMware Fusion 2.0.8 (for Intel-based Macs)
   md5sum: 9951d3b7985c39c685d59eaa73fe267c
   sha1sum: 11463924b5a7f82161090416905774da45e1cd3e    

   VMware Fusion Lite 2.0.8 (for Intel-based Macs)
   md5sum: 0bee2ef0d0e9e543b2468ed9618e32c8
   sha1sum: fa56bb7ea3493d07610051f92b9941305a436a2f

   ESXi 4.1
   --------
   ESXi410-201010001
   Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-251-20101108-239087/ESXi410-201010001.zip
   md5sum: 05f1049c7a595481cd682e92fe8d3285
   sha1sum: f6993c185f7d1cb971a4ae6e017e0246b8c25a76
   http://kb.vmware.com/kb/1027753

   Note ESXi410-201010001 contains the following security fix:
ESXi410-201010402-BG

   ESXi 4.0
   --------
   ESXi400-201009001
   Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-241-20100919-436526/ESXi400-201009001.zip
   md5sum: bfc1b78f14d970c556b828492f5920e1
   sha1sum:  a311a4af41aa1202bb6b156694bbc045c67df91a
   http://kb.vmware.com/kb/1025322

   Note ESXi400-201009001 contains the following security fix:
ESXi400-201009402-BG

   ESXi 3.5
   --------
   ESXe350-201008401-O-SG
   http://download3.vmware.com/software/vi/ESXe350-201008401-O-SG.zip
   md5sum:a2bb0afbc677ba847bedecb44dbdd4b3
   http://kb.vmware.com/kb/1026139

   Note ESXe350-201008401-O-SG contains the following security fix:
ESXe350-201008402-T-BG

   ESX 4.1
   -------
   ESX410-201010001

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-252-20101109-182791/ESX410-201010001.zip
   md5sum: ff4435fd3c74764f064e047c6e5e7809
   sha1sum:322981f4dbb9e5913c8f38684369444ff7e265b3
   http://kb.vmware.com/kb/1027027

   ESX410-201010001 contains the following security fix: ESX410-201010405-BG

   ESX 4.0
   -------
   ESX400-201009001

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-240-20100919-359479/ESX400-201009001.zip
   md5sum: 988c593b7a7abf0be5b72970ac64a369
   sha1sum: 26d875955b01c19f4e56703216e135257c08836f
   http://kb.vmware.com/kb/1025321

   ESX400-201009001 contains the following security fix: ESX400-201009401-SG

   ESX 3.5
   -------
   ESX350-201008409-BG
   http://download3.vmware.com/software/vi/ESX350-201008409-BG.zip
   md5sum: f2c4a4a53695057de25f095029d713fb
   http://kb.vmware.com/kb/1026133

5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4295
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4296
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4297
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4294

- ------------------------------------------------------------------------

6. Change log

2010-12-02  VMSA-2010-0018
Initial security advisory after release of Workstation 6.5.5,
Player 2.5.5, Fusion 2.0.8 and Fusion 3.1.2 on 2010-12-02, ESX patches
and Workstation 7.1.2 and 7.1.3 were released previously.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)

iEYEARECAAYFAkz4lXgACgkQS2KysvBH1xn0qgCeO9eTk2xMbdx3Ssr24lCYzlUC
jXoAnjxrD5t4JyuWQftQ9ciZSDpIeZzg
=TEE9
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • VMSA-2010-0018 VMware hosted products and ESX patches resolve multiple security issues VMware Security team (Dec 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]