Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

VMSA-2010-0009 ESXi ntp and ESX Service Console third party updates
From: VMware Security team <security () vmware com>
Date: Thu, 27 May 2010 22:42:31 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2010-0009
Synopsis:          ESXi ntp and ESX Service Console third party updates
Issue date:        2010-05-27
Updated on:        2010-05-27 (initial release of advisory)
CVE numbers:       CVE-2009-2695 CVE-2009-2908 CVE-2009-3228
                   CVE-2009-3286 CVE-2009-3547 CVE-2009-3613
                   CVE-2009-3612 CVE-2009-3620 CVE-2009-3621
                   CVE-2009-3726 CVE-2007-4567 CVE-2009-4536
                   CVE-2009-4537 CVE-2009-4538 CVE-2006-6304
                   CVE-2009-2910 CVE-2009-3080 CVE-2009-3556
                   CVE-2009-3889 CVE-2009-3939 CVE-2009-4020
                   CVE-2009-4021 CVE-2009-4138 CVE-2009-4141
                   CVE-2009-4272 CVE-2009-3563 CVE-2009-4355
                   CVE-2009-2409 CVE-2009-0590 CVE-2009-1377
                   CVE-2009-1378 CVE-2009-1379 CVE-2009-1386
                   CVE-2009-1387 CVE-2009-4212 CVE-2009-1384
                   CVE-2010-0097 CVE-2010-0290 CVE-2009-3736
                   CVE-2010-0001 CVE-2010-0426 CVE-2010-0427
                   CVE-2010-0382
- ------------------------------------------------------------------------

1. Summary

   ESXi update for ntp and ESX Console OS (COS) updates for COS
   kernel, openssl, krb5, gcc, bind, gzip, sudo.

2. Relevant releases

   VMware ESX 4.0.0 without patches ESX400-201005401-SG,
   ESX400-201005406-SG, ESX400-201005408-SG, ESX400-201005407-SG,
   ESX400-201005405-SG, ESX400-201005409-SG

3. Problem Description

 a. Service Console update for COS kernel

    Updated COS package "kernel" addresses the security issues that are
    fixed through versions 2.6.18-164.11.1.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2009-2695, CVE-2009-2908, CVE-2009-3228,
    CVE-2009-3286, CVE-2009-3547, CVE-2009-3613 to the security issues
    fixed in kernel 2.6.18-164.6.1

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2009-3612, CVE-2009-3620, CVE-2009-3621,
    CVE-2009-3726 to the security issues fixed in kernel 2.6.18-164.9.1.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2007-4567, CVE-2009-4536, CVE-2009-4537,
    CVE-2009-4538 to the security issues fixed in kernel 2.6.18-164.10.1

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2006-6304, CVE-2009-2910, CVE-2009-3080,
    CVE-2009-3556, CVE-2009-3889, CVE-2009-3939, CVE-2009-4020,
    CVE-2009-4021, CVE-2009-4138, CVE-2009-4141, and CVE-2009-4272 to
    the security issues fixed in kernel 2.6.18-164.11.1.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      ESX400-201005401-SG
    ESX            3.5       ESX      not applicable
    ESX            3.0.3     ESX      not applicable
    ESX            2.5.5     ESX      not applicable

    vMA            4.0       RHEL5    affected, patch pending

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 b. ESXi userworld update for ntp

    The Network Time Protocol (NTP) is used to synchronize the time of
    a computer client or server to another server or reference time
    source.

    A vulnerability in ntpd could allow a remote attacker to cause a
    denial of service (CPU and bandwidth consumption) by using
    MODE_PRIVATE to send a spoofed (1) request or (2) response packet
    that triggers a continuous exchange of MODE_PRIVATE error responses
    between two NTP daemons.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2009-3563 to this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           4.0       ESXi     ESXi400-201005401-SG
    ESXi           3.5       ESXi     affected, patch pending

    ESX            any       ESX      not applicable

    vMA            any       RHEL5    not applicable

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 c. Service Console package openssl updated to 0.9.8e-12.el5_4.1

    OpenSSL is a toolkit implementing SSL v2/v3 and TLS protocols with
    full-strength cryptography world-wide.

    A memory leak in the zlib could allow a remote attacker to cause a
    denial of service (memory consumption) via vectors that trigger
    incorrect calls to the CRYPTO_cleanup_all_ex_data function.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2009-4355 to this issue.

    A vulnerability was discovered which may allow remote attackers to
    spoof certificates by using MD2 design flaws to generate a hash
    collision in less than brute-force time. NOTE: the scope of this
    issue is currently limited because the amount of computation
    required is still large.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2009-2409 to this issue.

    This update also includes security fixes that were first addressed
    in version openssl-0.9.8e-12.el5.i386.rpm.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the names CVE-2009-0590, CVE-2009-1377, CVE-2009-1378,
    CVE-2009-1379, CVE-2009-1386 and CVE-2009-1387 to these issues.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      ESX400-201005401-SG
    ESX            3.5       ESX      not applicable
    ESX            3.0.3     ESX      not applicable
    ESX            2.5.5     ESX      not applicable

    vMA            4.0       RHEL5    affected, patch pending**

  *  hosted products are VMware Workstation, Player, ACE, Server, Fusion.
  ** see VMSA-2010-0004

 d. Service Console update for krb5 to 1.6.1-36.el5_4.1 and pam_krb5 to
    2.2.14-15.

    Kerberos is a network authentication protocol. It is designed to
    provide strong authentication for client/server applications by
    using secret-key cryptography.

    Multiple integer underflows in the AES and RC4 functionality in the
    crypto library could allow remote attackers to cause a denial of
    service (daemon crash) or possibly execute arbitrary code by
    providing ciphertext with a length that is too short to be valid.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2009-4212 to this issue.

    The service console package for pam_krb5 is updated to version
    pam_krb5-2.2.14-15. This update fixes a flaw found in pam_krb5. In
    some non-default configurations (specifically, where pam_krb5 would
    be the first module to prompt for a password), a remote attacker
    could use this flaw to recognize valid usernames, which would aid a
    dictionary-based password guess attack.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2009-1384 to this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      ESX400-201005406-SG
    ESX            3.5       ESX      affected, patch pending
    ESX            3.0.3     ESX      affected, patch pending
    ESX            2.5.5     ESX      affected, patch pending

    vMA            4.0       RHEL5    affected, patch pending

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 e. Service Console package bind updated to 9.3.6-4.P1.el5_4.2

    BIND (Berkeley Internet Name Daemon) is by far the most widely used
    Domain Name System (DNS) software on the Internet.

    A vulnerability was discovered which could allow remote attacker to
    add the Authenticated Data (AD) flag to a forged NXDOMAIN response
    for an existing domain.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2010-0097 to this issue.

    A vulnerability was discovered which could allow remote attackers
    to conduct DNS cache poisoning attacks by receiving a recursive
    client query and sending a response that contains CNAME or DNAME
    records, which do not have the intended validation before caching.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2010-0290 to this issue.

    A vulnerability was found in the way that bind handles out-of-
    bailiwick data accompanying a secure response without re-fetching
    from the original source, which could allow remote attackers to
    have an unspecified impact via a crafted response.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2010-0382 to this issue.

    NOTE: ESX does not use the BIND name service daemon by default.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      ESX400-201005408-SG
    ESX            3.5       ESX      not applicable
    ESX            3.0.3     ESX      not applicable
    ESX            2.5.5     ESX      not applicable

    vMA            4.0       RHEL5    affected, patch pending

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 f. Service Console package gcc updated to 3.2.3-60

    The GNU Compiler Collection includes front ends for C, C++,
    Objective-C, Fortran, Java, and Ada, as well as libraries for these
    languages

    GNU Libtool's ltdl.c attempts to open .la library files in the
    current working directory.  This could allow a local user to gain
    privileges via a Trojan horse file.  The GNU C Compiler collection
    (gcc) provided in ESX contains a statically linked version of the
    vulnerable code, and is being replaced.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2009-3736 to this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not applicable

    ESX            4.0       ESX      ESX400-201005407-SG
    ESX            3.5       ESX      affected, patch pending
    ESX            3.0.3     ESX      affected, patch pending
    ESX            2.5.5     ESX      affected, patch pending

    vMA            4.0       RHEL5    affected, patch pending

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 g. Service Console package gzip update to 1.3.3-15.rhel3

    gzip is a software application used for file compression

    An integer underflow in gzip's unlzw function on 64-bit platforms
    may allow a remote attacker to trigger an array index error
    leading to a denial of service (application crash) or possibly
    execute arbitrary code via a crafted LZW compressed file.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2010-0001 to this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      ESX400-201005405-SG
    ESX            3.5       ESX      affected, patch pending
    ESX            3.0.3     ESX      affected, patch pending
    ESX            2.5.5     ESX      affected, patch pending

    vMA            4.0       RHEL5    affected, patch pending

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 h. Service Console package sudo updated to 1.6.9p17-6.el5_4

    Sudo (su "do") allows a system administrator to delegate authority
    to give certain users (or groups of users) the ability to run some
    (or all) commands as root or another user while providing an audit
    trail of the commands and their arguments.

    When a pseudo-command is enabled, sudo permits a match between the
    name of the pseudo-command and the name of an executable file in an
    arbitrary directory, which allows local users to gain privileges
    via a crafted executable file.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2010-0426 to this issue.

    When the runas_default option is used, sudo does not properly set
    group memberships, which allows local users to gain privileges via
    a sudo command.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2010-0427 to this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      ESX400-201005409-SG
    ESX            3.5       ESX      not applicable
    ESX            3.0.3     ESX      not applicable
    ESX            2.5.5     ESX      not applicable

    vMA            4.0       RHEL5    affected, patch pending

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   ESX 4.0
   -------
   http://bit.ly/aqTCqn
   md5sum: ace37cd8d7c6388edcea2798ba8be939
   sha1sum: 8fe7312fe74a435e824d879d4f1ff33df25cee78
   http://kb.vmware.com/kb/1013127

   Note ESX400-201005001 contains the following security bulletins
   ESX400-201005404-SG (ntp), ESX400-201005405-SG (gzip),
   ESX400-201005408-SG (bind), ESX400-201005401-SG (kernel, openssl),
   ESX400-201005406-SG (krb5, pam_krb5), ESX400-201005402-SG (JRE),
   ESX400-201005403-SG (expat), ESX400-201005409-SG (sudo),
   ESX400-201005407-SG (gcc).

5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2695
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2908
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3228
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3286
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3613
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3612
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3620
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3621
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3726
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4567
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4536
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4537
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4538
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6304
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2910
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3080
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3556
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3889
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3939
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4020
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4021
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4138
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4141
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4272
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4355
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0590
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1377
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1379
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1387
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4212
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1384
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0290
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0001
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0426
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0427
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0382

- ------------------------------------------------------------------------

6. Change log

2010-05-27  VMSA-2010-0009
Initial security advisory after release of patch 06 bulletins for ESX
4.0 on 2010-05-27

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)

iEYEARECAAYFAkv/V8IACgkQS2KysvBH1xnqNgCcCwwelsQK6DQjcTc2wnIPp0EW
E70An2gfkiCQ5FNqvf3y+kNredxyVZwI
=JW3s
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • VMSA-2010-0009 ESXi ntp and ESX Service Console third party updates VMware Security team (May 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault