Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

VMSA-2010-0005 VMware products address vulnerabilities in WebAccess
From: VMware Security Team <security () vmware com>
Date: Mon, 29 Mar 2010 22:38:46 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2010-0005
Synopsis:          VMware products address vulnerabilities in WebAccess
Issue date:        2010-03-29
Updated on:        2010-03-29 (initial release of advisory)
CVE numbers:       CVE-2009-2277 CVE-2010-1137 CVE-2010-0686
                   CVE-2010-1193                    
- ------------------------------------------------------------------------

1. Summary

   VMware products address vulnerabilities in WebAccess.


2. Relevant releases

   Virtual Center 2.5 with WebAccess
   Virtual Center 2.0.2 with WebAccess

   VMware Server 2.0.2 with WebAccess
   VMware Server 1.0.10

   ESX 3.5 with WebAccess
   ESX 3.0.3 with WebAccess

   Notes:

   Effective May 2010, VMware's patch and update release program during
   Extended Support will be continued with the condition that all
   subsequent patch and update releases will be based on the latest
   baseline release version as of May 2010 (i.e. ESX 3.0.3 Update 1,
   ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section
   "End of Product Availability FAQs" at
   http://www.vmware.com/support/policies/lifecycle/vi/faq.html for
   details.

   Extended support for ESX 2.5.5 ends on 2010-06-15. Users should plan
   to upgrade to at least ESX 3.0.3 Update 1 and preferably to the
   newest release available.

   Extended support for ESX 3.0.3 ends on 2011-12-10. Users should plan
   to upgrade to at least ESX 3.5 Update 5 and preferably to the newest
   release available.


3. Problem Description

  a. WebAccess Context Data Cross-site Scripting Vulnerability

    A cross-site scripting vulnerability in WebAccess allows for
    disclosure of sensitive information. The flaw is due to insufficient
    verification of certain parameters which may lead to redirection of
    a user's requests.

    This vulnerability can only be exploited if the attacker tricks the
    WebAccess user into clicking a malicious link and the attacker has
    control of a server on the same network as the system where
    WebAccess is being used.

    Workaround
    By switching off WebAccess the issue can no longer be exploited.
    This can be accomplished on affected versions of Virtual Center and
    ESX as follows:
     
    Virtual Center 2.0.2 and Virtual Center 2.5:
      Go to the Windows Services overview on the system that runs
      Virtual Center.
      To stop WebAccess without a reboot:
         Change the status of the VMware Infrastructure Web Access
         service to stop
      To prevent WebAccess from starting after the next reboot:
         Change the startup type of the VMware Infrastructure Web
         Access service to disabled

    ESX 3.0.3 and ESX 3.5:
      Open a root shell on ESX.
      To stop WebAccess without a reboot:
         service vmware-webAccess stop
      To prevent WebAccess from starting after the next reboot:
         chkconfig vmware-webAccess off
      
    VMware would like to thank David Byrne and Tom Leavey of Trustwave's
    SpiderLabs for reporting this issue to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2009-2277 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        4.0       Windows  not affected
    VirtualCenter  2.5       Windows  Virtual Center 2.5 Update 6
    VirtualCenter  2.0.2     Windows  not being fixed at this time *
 
    hosted **      any       any      not affected    

    ESXi           any       ESXi     not affected
 
    ESX            4.0       ESX      not affected
    ESX            3.5       ESX      ESX350-201003403-SG
    ESX            3.0.3     ESX      not being fixed at this time *
    ESX            2.5.5     ESX      not affected
 
    vMA            4.0       RHEL5    not affected

  * Use the workaround of disabling WebAccess to remediate the issue.

 ** Hosted products are VMware Workstation, Player, ACE, Server, Fusion.

    Note: This vulnerability can be exploited remotely only if the
          attacker has access to the Service Console network.

          Security best practices provided by VMware recommend that the
          Service Console be isolated from the VM network. Please see
          http://www.vmware.com/resources/techresources/726 for more
          information on VMware security best practices.


  b. WebAccess Virtual Machine Name Cross-site Scripting Vulnerability
 
    A cross-site scripting vulnerability allows for execution of
    JavaScript in the Web browser's security context for WebAccess. The
    flaw is due to insufficient checking on the names of virtual
    machines.

    In order to exploit the issue, the attacker must have control over
    the naming of a virtual machine and must have the user list this
    Virtual Machine in WebAccess.

    Workaround
    By switching off WebAccess the issue can no longer be exploited. See
    section 3.a on how this can be accomplished.

    VMware would like to thank Craig Marshall of Ernst and Young
    Advanced Security Center for reporting this issue to us.
 
    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-1137 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.
 
    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        4.0       Windows  not affected
    VirtualCenter  2.5       Windows  Virtual Center 2.5 Update 4 *
    VirtualCenter  2.0.2     Windows  not being fixed at this time **
 
    Workstation    any       any      not affected

    Player         any       any      not affected

    Server         2.0       any      not affected
    Server         1.0       any      not being fixed at this time ***

    ACE            any       any      not affected

    Fusion         any       any      not affected
    
    ESXi           any       ESXi     not affected
 
    ESX            4.0       ESX      not affected
    ESX            3.5       ESX      ESX350-200903223-UG *
    ESX            3.0.3     ESX      not being fixed at this time **
    ESX            2.5.5     ESX      not affected
 
    vMA            4.0       RHEL5    not affected

  * The issue is remediated in Virtual Center 2.5 Update 4 and later.
    The issue is remediated on ESX 3.5 by patch ESX350-200903223-UG and
    by later ESX 3.5 WebAccess patches. The latest ESX 3.5 WebAccess
    patch is ESX350-201003403-SG.

 ** Use the workaround of disabling WebAccess to remediate the issue.

*** In VMware Server 1.0 there is no WebAccess. The corresponding
    functionality is offered through the VMware Server Console.
 
    Note: This vulnerability can be exploited remotely only if the
          attacker has access to the Service Console network.

          Security best practices provided by VMware recommend that the
          Service Console be isolated from the VM network. Please see
          http://www.vmware.com/resources/techresources/726 for more
          information on VMware security best practices.

    
  c. WebAccess URL Forwarding Vulnerability

    The WebAccess component doesn't sufficiently validate user supplied
    input and allows for forwarding of an incoming request to another
    destination. The destination will not be able to see the true origin
    of the request URL but instead will see the address of the machine
    that runs WebAccess. An attacker could use the forwarding
    vulnerability to direct traffic at servers while disguising the
    source location.

    The security issue is limited to URL forwarding. This vulnerability
    doesn't allow for a so-called cross-site scripting attack and
    doesn't allow for stealing of the user cookies.
 
    Workaround
    By switching off WebAccess the issue can no longer be exploited. See
    section 3.a on how this can be accomplished.
 
    VMware would like to thank John Fitzpatrick of MWR InfoSecurity
    for reporting this issue to us.
 
    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-0686 to this issue.
 
    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.
 
    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        4.0       Windows  not affected
    VirtualCenter  2.5       Windows  not being fixed at this time *
    VirtualCenter  2.0.2     Windows  not being fixed at this time *
 
    Workstation    any       any      not affected
 
    Player         any       any      not affected
 
    Server         2.0       any      not being fixed at this time *
    Server         1.0       any      not affected
 
    ACE            any       any      not affected
 
    Fusion         any       any      not affected

    ESXi           any       ESXi     not affected
 
    ESX            4.0       ESX      not affected
    ESX            3.5       ESX      not being fixed at this time *
    ESX            3.0.3     ESX      not being fixed at this time *
    ESX            2.5.5     ESX      not affected
 
    vMA            4.0       RHEL5    not affected

  * Use the workaround of disabling WebAccess to remediate the issue.

    Notes: This vulnerability can be exploited remotely only if the
           attacker has access to the Service Console network.

           Security best practices provided by VMware recommend that the
           Service Console be isolated from the VM network. Please see
           http://www.vmware.com/resources/techresources/726 for more
           information on VMware security best practices.


  d. WebAccess JSON Cross-site Scripting Vulnerability
 
    A cross-site scripting vulnerability allows for execution of
    JavaScript in the Web browser's security context for WebAccess. The
    flaw is due to incorrect parsing of JSON error messages.

    This vulnerability can only be exploited if the attacker tricks the
    WebAccess user into clicking a malicious link.

    Workaround
    By switching off WebAccess the issue can no longer be exploited. See
    section 3.a on how this can be accomplished.

    VMware would like to thank Nathan Keltner for reporting this issue
    to us.
 
    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-1193 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        4.0       Windows  not affected
    VirtualCenter  2.5       Windows  not affected
    VirtualCenter  2.0.2     Windows  not affected
 
    Workstation    any       any      not affected
 
    Player         any       any      not affected
 
    Server         2.0       any      not being fixed at this time *
    Server         1.0       any      not affected
 
    ACE            any       any      not affected
 
    Fusion         any       any      not affected

    ESXi           any       ESXi     not affected
 
    ESX            4.0       ESX      not affected
    ESX            3.5       ESX      not affected
    ESX            3.0.3     ESX      not affected
    ESX            2.5.5     ESX      not affected
 
    vMA            4.0       RHEL5    not affected

  * Use the workaround of disabling WebAccess to remediate the issue.
 

4. Solution

   Please review the patch/release notes for your product and version
   and verify the sha1sum or md5sum of your downloaded file.

   VMware Virtual Center 2.5 Update 6
   ----------------------------------
   Version       2.5 Update 6
   Build Number  227637
   Release Date  2010/01/29
   Type          Product Binaries
   http://downloads.vmware.com/download/download.do?downloadGroup=VC250U6

   VirtualCenter DVD image - English only version
   File size: 854 MB
   File type: .iso
   md5sum: d83b09ac0533a418d5b7f5493dbd3ed3
   sha1sum: 1b969b397a937402b5e9463efc767eff7a980ad0

   VirtualCenter as a Zip file - English only version
   File size: 625 MB
   File type: .zip
   md5sum: 760f335ebcd363e0e159b20da923621f
   sha1sum: e400bc1008d1e4c44d204a8135293b8ae305f14e
   
   VMware vCenter Converter BootCD
   VMware Converter Enterprise BootCD for VirtualCenter
   File size: 97 MB
   File type: .zip
   md5sum: e49e0ff0f2563196cc5d4b5c471cd666

   VMware vCenter Converter CLI (Linux)
   VMware Converter Enterprise CLI for Linux platform
   File size: 37 MB
   File type: .tar.gz
   md5sum: 30d1f5e58a6cad8dacd988908305bc1c

   ESX 3.5
   -------
   ESX350-201003403-SG
   http://download3.vmware.com/software/vi/ESX350-201003403-SG.zip
   md5sum: cdddef476c06eeb28c10c5dac3730dca
   http://kb.vmware.com/kb/1018702

 
5. References

   CVE numbers
   
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2277
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1137
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0686
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1193

- ------------------------------------------------------------------------
6. Change log

2010-03-29  VMSA-2010-0005
Initial security advisory after release of patches for ESX 3.5
on 2010-03-29.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFLsY4wS2KysvBH1xkRAv1RAJ9ELh3jWg7ZQsZNgTy7nuM2Rj8NjACfTub2
FRjw4Mfsh3658XAzuC1bsJg=
=PL0U
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • VMSA-2010-0005 VMware products address vulnerabilities in WebAccess VMware Security Team (Mar 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]