Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

VMSA-2012-0009 VMware Workstation, Player, ESXi and ESX patches address critical security issues
From: VMware Security Team <security () vmware com>
Date: Thu, 03 May 2012 08:46:28 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 -----------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2012-0009
Synopsis:    VMware Workstation, Player, ESXi and ESX patches address
             critical security issues
Issue date:  2012-05-03
Updated on:  2012-05-03 (initial advisory)
CVE numbers: CVE-2012-1516, CVE-2012-1517, CVE-2012-2448, CVE-2012-2449,
             CVE-2012-2450
 -----------------------------------------------------------------------
1. Summary

   VMware Workstation, Player, ESXi and ESX patches address critical
   security issues

2. Relevant releases

   Workstation 8.0.2

   Player 4.0.2

   Fusion 4.1.2
   
   ESXi 5.0 without patch ESXi500-201205401-SG
   ESXi 4.1 without patches ESXi410-201205401-SG, ESXi410-201110201-SG,
                            ESXi410-201201401-SG
   ESXi 4.0 without patches ESXi400-201105201-UG, ESXi400-201205401-SG
   ESXi 3.5 without patch ESXe350-201205401-I-SG

   ESX 4.1 without patches ESX410-201205401-SG, ESX410-201110201-SG,
                           ESX410-201201401-SG
   ESX 4.0 without patches ESX400-201105201-UG, ESX400-201205401-SG
   ESX 3.5 without patch ESX350-201205401-SG

3. Problem Description

 a. VMware host memory overwrite vulnerability (data pointers)

    Due to a flaw in the handler function for RPC commands, it is
    possible to manipulate data pointers within the VMX process.
    This vulnerability may allow a guest user to crash the VMX
    process or potentially execute code on the host.

    Workaround
    - Configure virtual machines to use less than 4 GB of memory.
      Virtual machines that have less than 4GB of memory are
      not affected.

    Mitigation
    - Do not allow untrusted users access to your virtual machines.
      Root or Administrator level permissions are not required to
      exploit this issue.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2012-1516 to this issue.

    VMware would like to thank Derek Soeder of Ridgeway Internet
    Security, L.L.C. for reporting this issue to us.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        any       Windows  not affected

    Workstation    8.x       any      not affected
                  
    Player         4.x       any      not affected
                  
    Fusion         4.x       Mac OS/X not affected

    ESXi           5.0       ESXi     not affected
    ESXi           4.1       ESXi     ESXi410-201110201-SG  
    ESXi           4.0       ESXi     ESXi400-201105201-UG
    ESXi           3.5       ESXi     ESXe350-201205401-I-SG

    ESX            4.1       ESX      ESX410-201110201-SG
    ESX            4.0       ESX      ESX400-201105201-UG
    ESX            3.5       ESX      ESX350-201205401-SG

 b. VMware host memory overwrite vulnerability (function pointers)

    Due to a flaw in the handler function for RPC commands, it is
    possible to manipulate function pointers within the VMX process.
    This vulnerability may allow a guest user to crash the VMX
    process or potentially execute code on the host.

    Workaround
    - None identified

    Mitigation
    - Do not allow untrusted users access to your virtual machines.
      Root or Administrator level permissions are not required to
      exploit this issue.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2012-1517 to this issue.

    VMware would like to thank Derek Soeder of Ridgeway Internet
    Security, L.L.C. for reporting this issue to us.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        any       Windows  not affected

    Workstation    8.x       any      not affected
                  
    Player         4.x       any      not affected
                  
    Fusion         4.x       Mac OS/X not affected

    ESXi           5.0       ESXi     not affected
    ESXi           4.1       ESXi     ESXi410-201201401-SG  
    ESXi           4.0       ESXi     not affected
    ESXi           3.5       ESXi     not affected

    ESX            4.1       ESX      ESX410-201201401-SG  
    ESX            4.0       ESX      not affected
    ESX            3.5       ESX      not affected

 c. ESX NFS traffic parsing vulnerability

    Due to a flaw in the handling of NFS traffic, it is possible to
    overwrite memory. This vulnerability may allow a user with access to
    the network to execute code on the ESXi/ESX host without
    authentication. The issue is not present in cases where there is no
    NFS traffic.

    Workaround
    - None identified

    Mitigation
    - Connect only to trusted NFS servers
    - Segregate the NFS network
    - Harden your NFS server

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2012-2448 to this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        any       Windows  not affected

    Workstation    8.x       any      not affected
                  
    Player         4.x       any      not affected
                  
    Fusion         4.x       Mac OS/X not affected

    ESXi           5.0       ESXi     ESXi500-201205401-SG
    ESXi           4.1       ESXi     ESXi410-201205401-SG
    ESXi           4.0       ESXi     ESXi400-201205401-SG
    ESXi           3.5       ESXi     ESXe350-201205401-I-SG

    ESX            4.1       ESX      ESX410-201205401-SG
    ESX            4.0       ESX      ESX400-201205401-SG
    ESX            3.5       ESX      ESX350-201205401-SG

 d. VMware floppy device out-of-bounds memory write

    Due to a flaw in the virtual floppy configuration it is possible
    to perform an out-of-bounds memory write. This vulnerability may allow
a
    guest user to crash the VMX process or potentially execute code
    on the host.

    Workaround
    - Remove the virtual floppy drive from the list of virtual IO
      devices. The VMware hardening guides recommend removing unused
      virtual IO devices in general.

    Mitigation
    - Do not allow untrusted root users in your virtual machines. Root or
      Administrator level permissions are required to exploit this
      issue.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2012-2449 to this issue.
 
    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        any       Windows  not affected

    Workstation    8.x       any      8.0.3 or later
                  
    Player         4.x       any      4.0.3 or later
                  
    Fusion         4.x       Mac OS/X patch pending **

    ESXi           5.0       ESXi     ESXi500-201205401-SG
    ESXi           4.1       ESXi     ESXi410-201205401-SG
    ESXi           4.0       ESXi     ESXi400-201205401-SG
    ESXi           3.5       ESXi     ESXe350-201205401-I-SG

    ESX            4.1       ESX      ESX410-201205401-SG
    ESX            4.0       ESX      ESX400-201205401-SG
    ESX            3.5       ESX      ESX350-201205401-SG

 ** A workaround for the issue is listed above.

 e. VMware SCSI device unchecked memory write

    Due to a flaw in the SCSI device registration it is possible
    to perform an unchecked write into memory. This vulnerability may
    allow a guest user to crash the VMX process or potentially execute
    code on the host.

    Workaround
    - Remove the virtual SCSI controller from the list of virtual IO
      devices. The VMware hardening guides recommend removing unused
      virtual IO devices in general.

    Mitigation
    - Do not allow untrusted root users access to your virtual machines.
      Root or Administrator level permissions are required to exploit
      this issue.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2012-2450 to this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        any       Windows  not affected

    Workstation    8.x       any      8.0.3 or later
                  
    Player         4.x       any      4.0.3 or later
                  
    Fusion         4.x       Mac OS/X 4.1.2 or later

    ESXi           5.0       ESXi     ESXi500-201205401-SG
    ESXi           4.1       ESXi     ESXi410-201205401-SG
    ESXi           4.0       ESXi     ESXi400-201205401-SG
    ESXi           3.5       ESXi     ESXe350-201205401-I-SG

    ESX            4.1       ESX      ESX410-201205401-SG
    ESX            4.0       ESX      ESX400-201205401-SG
    ESX            3.5       ESX      ESX350-201205401-SG

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   Workstation 8.0.3
   -----------------
   http://www.vmware.com/go/downloadworkstation

   Release notes:
 
https://www.vmware.com/support/ws80/doc/releasenotes_workstation_803.html

   VMware Workstation for Windows 32-bit and 64-bit with VMware Tools
   md5sum: c8cabe876ab629f27e47cea02f0d4def
   sha1sum: 815c2b2b9b0e5fd089ed19da15a272671eb405bd

   VMware Workstation for Linux 32-bit with VMware Tools
   md5sum: 968c0785ddb96058e808117730d7c3ad
   sha1sum: 08ac903c012ef887bf45b3f9f83a4d3200fe25d1

   VMware Workstation for Linux 64-bit with VMware Tools
   md5sum: aa9ce2d953f21f9d902de00ffd2fcb5c
   sha1sum: b8d189b6717d49abc49401fc4ad50b187ff2e813
      
   Player 4.0.3
   ------------
   http://www.vmware.com/go/downloadplayer

   Release notes:
   https://www.vmware.com/support/player40/doc/releasenotes_player403.html

   VMware Player for Windows 32-bit and 64-bit
   md5sum: f2259a257a5099cdce5e1ce76512f599
   sha1sum: 96badcaac81e1dfeaaac49d1a5bb6b1e13956266

   VMware Player for Linux 32-bit
   md5sum: 4012e897a77a1c69dd18fbcdde6cf269
   sha1sum: 1c00cde50dc6c651393c85db6449010cf552c3eb

   VMware Player for Linux 64-bit
   md5sum: 857edd0695b3b31713f9ea1b0a65f2b6
   sha1sum: 83c4365f4b43713e8cee13998c394331990a0fd3
      
   ESXi and ESX
   ------------
   http://downloads.vmware.com/go/selfsupport-download
    
   Note: In case multiple patches are listed below, the most
   recent patch is listed on top. The most recent patch includes
   fixes for the issues that are addressed in the older patches.

   ESXi 5.0
   --------
   ESXi500-201205001
   md5sum: 4a1de58656980271d79a32107cba75cf
   sha1sum: 5f23b318df3476002877c37f2970093dc2217d75
   http://kb.vmware.com/kb/2019857
   ESXi500-201205001 contains ESXi500-201205401-SG

   ESXi 4.1
   --------
   ESXi410-201205001
   md5sum: 5a37d83fc2a96483c94b3087387b3e9c
   sha1sum: 9999f578163ffc9ada809e985a6e5d42b83e2be6
   http://kb.vmware.com/kb/2019860
   ESXi410-201205001 contains ESXi410-201205401-SG

   ESXi410-201201001
   md5sum: bdf86f10a973346e26c9c2cd4c424e88
   sha1sum: cc0b92869a9aae4f5e0e5b81bee109bcd7da780f
   http://kb.vmware.com/kb/2009137
   ESXi410-201201001 contains ESXi410-201201401-SG

   update-from-esxi4.1-4.1_update02
   md5sum:57e34b500ce543d778f230da1d44e412
   sha1sum:52f4378e2f1a29c908493182ccbde91d58b4112f
   http://kb.vmware.com/kb/2002338
   update-from-esxi4.1-4.1_update02 contains ESXi410-201110201-SG

   ESXi 4.0
   --------
   ESXi400-201205001
   md5sum: 96808908b8ff82460a6cbd9b4c501dd4
   sha1sum: df0256c4ff71f4e7af507e956a496390c7a84597
   http://kb.vmware.com/kb/2019855
   ESXi400-201205001 contains ESXi400-201205401-SG

   update-from-esxi4.0-4.0_update03
   md5sum: 01bb395825b55b21ec5ea9a5e2ec2c4b
   sha1sum: ca49bbf154278568a71caf1a5288ac9239dfaf7f
   http://kb.vmware.com/kb/1031736
   update-from-esxi4.0-4.0_update03 contains ESXi400-201105201-UG

   ESXi 3.5
   --------
   ESXe350-201205401-O-SG
   md5sum: e2f017e7ef9a1c0ed5e70dbc97ec62d3
   sha1sum: 8dab4731acd4e257cc1701aa0a88373727a9e3ae
   http://kb.vmware.com/kb/2019538

   ESXe350-201205401-O-SG contains ESXe350-201205401-I-SG

   ESX 4.1
   -------
   ESX410-201205001
   md5sum: 0445d053cacee38338b6cc57efae093b
   sha1sum: 40720a3be86dd3c9e0bed29c95e0f0a4e34e4cce
   http://kb.vmware.com/kb/2019859
   ESX410-201205001 contains ESX410-201205401-SG

   ESX410-201201001
   md5sum: 16df9acd3e74bcabc2494bc23ad0927f
   sha1sum: 1066ae1436e1a75ba3d541ab65296cfb9ab7a5cc
   http://kb.vmware.com/kb/2009080
   ESX410-201201001 contains ESX410-201201401-SG

   ESX 4.0
   -------
   ESX400-201205001
   md5sum: ff0451d353916cc5aebdabf15f4941cc
   sha1sum: 8485bc41f23e214940e2b618958293ef74eb425f
   http://kb.vmware.com/kb/2019853
   ESX400-201205001 contains ESX400-201205401-SG

   update-from-esx4.0-4.0_update03
   md5sum: 329b08d80d56b0965b84251c552970ba
   sha1sum: 2e7285d0cbfd666ab9d745a76f639eccb55c1b2a
   http://kb.vmware.com/kb/1031732
   update-from-esx4.0-4.0_update03 contains ESX400-201105201-UG

   ESX 3.5
   -------
   ESX350-201205401-SG
   md5sum: e7d519fccf34a9bd9ff73cbef9247e31
   sha1sum: b5a1a50bf116fb900768a8882bc77adb93b3a182
   http://kb.vmware.com/kb/2019535

      
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1516
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1517
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2448
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2449
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2450

 -----------------------------------------------------------------------

6. Change log

   2012-05-03 VMSA-2012-0009
   Initial security advisory in conjunction with the release of
   Workstation 8.0.3, Player 4.0.3 and patches for ESXi and ESX 3.5,
   4.0, 4.1 and 5.0 on 2012-05-03.

 -----------------------------------------------------------------------

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2012 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFPoqeMDEcm8Vbi9kMRArVAAJ4/gq2fVUj0y5hP0Bwt3tNkqpGwGQCfac1V
xkgqRXKeGCKRbmMR8blc8zQ=
=HLeh
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • VMSA-2012-0009 VMware Workstation, Player, ESXi and ESX patches address critical security issues VMware Security Team (May 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault