Date: 30 April 2012
References: ESB-2011.0910 ESB-2011.0923.2 ESB-2012.0001 ESB-2012.0049 ESB-2012.0415.4 ESB-2012.0538
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0333.2
VMware ESXi and ESX address several security issues
30 April 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware ESXi
VMware ESX
Publisher: VMware
Operating System: VMWare ESX Server
Impact/Access: Root Compromise -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-1515 CVE-2011-4862 CVE-2011-4348
CVE-2011-3191 CVE-2011-2482
Reference: ESB-2012.0049
ESB-2012.0001
ESB-2011.0923.2
ESB-2011.0910
Revision History: April 30 2012: Updated security advisory after the release of
ESX 4.1 patch on 2012-04-26
March 30 2012: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2012-0006.1
Synopsis: VMware ESXi and ESX address several security issues
Issue date: 2012-03-29
Updated on: 2012-04-26
CVE numbers: CVE-2012-1515, CVE-2011-2482, CVE-2011-3191, CVE-2011-4348
CVE-2011-4862
-----------------------------------------------------------------------
1. Summary
VMware ESXi and ESX address several security issues.
2. Relevant releases
ESXi 4.1 without patch ESXi410-201101201-SG
ESXi 4.0 without patch ESXi400-201203401-SG
ESXi 3.5 without patch ESXe350-201203401-I-SG
ESX 4.1 without patch ESX410-201101201-SG
ESX 4.0 without patches ESX400-201203401-SG, ESX400-201203407-SG
ESX 3.5 without patch ESX350-201203401-SG
3. Problem Description
a. VMware ROM Overwrite Privilege Escalation
A flaw in the way port-based I/O is handled allows for modifying
Read-Only Memory that belongs to the Virtual DOS Machine.
Exploitation of this issue may lead to privilege escalation on Guest
Operating Systems that run Windows 2000, Windows XP 32-bit, Windows
Server 2003 32-bit or Windows Server 2003 R2 32-bit.
VMware would like to thank Derek Soeder of Ridgeway Internet
Security, L.L.C. for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2012-1515 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
Workstation 8.x any not affected
Player 4.x any not affected
Fusion 4.x Mac OS/X not affected
ESXi 5.0 ESXi not affected
ESXi 4.1 ESXi ESXi410-201101201-SG
ESXi 4.0 ESXi ESXi400-201203401-SG
ESXi 3.5 ESXi ESXe350-201203401-I-SG
ESX 4.1 ESX ESX410-201101201-SG
ESX 4.0 ESX ESX400-201203401-SG
ESX 3.5 ESX ESX350-201203401-SG
b. ESX third party update for Service Console kernel
The ESX Service Console Operating System (COS) kernel is updated
to kernel-400.2.6.18-238.4.11.591731 to fix multiple security
issues in the COS kernel.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2011-2482, CVE-2011-3191 and
CVE-2011-4348 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX See VMSA-2012-0008 **
ESX 4.0 ESX ESX400-201203401-SG
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
** One of the three issues, CVE-2011-2482, has already been
addressed on ESX 4.1 in an earlier kernel patch. See
VMSA-2012-0001 for details.
c. ESX third party update for Service Console krb5 RPM
This patch updates the krb5-libs and krb5-workstation RPMs to
version 1.6.1-63.el5_7 to resolve a security issue.
By default, the affected krb5-telnet and ekrb5-telnet services
do not run. The krb5 telnet daemon is an xinetd service.
You can run the following commands to check if krb5 telnetd is
enabled:
/sbin/chkconfig --list krb5-telnet
/sbin/chkconfig --list ekrb5-telnet
The output of these commands displays if krb5 telnet is
enabled.
You can run the following commands to disable krb5 telnet
daemon:
/sbin/chkconfig krb5-telnet off
/sbin/chkconfig ekrb5-telnet off
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2011-4862 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX not applicable
ESX 4.0 ESX ESX400-201203407-SG
ESX 3.5 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
ESXi 4.1
--------
update-from-esxi4.1-4.1_update01
md5sum: 2f1e009c046b20042fae3b7ca42a840f
sha1sum: 1c9c644012dec657a705ddd3d033cbfb87a1fab1
http://kb.vmware.com/kb/1027919
update-from-esxi4.1-4.1_update01 contains ESXi410-201101201-SG
ESXi 4.0
--------
ESXi400-201203001
md5sum: 8054b2e7c9cd024e492ac5c1fb9c1e72
sha1sum: 6150fee114d70603ccae399f42b905a6b1a7f3e1
http://kb.vmware.com/kb/2011777
ESXi400-201203001 contains ESXi400-201203401-SG
ESXi 3.5
--------
ESXe350-201203401-O-SG
md5sum: 44124458684d6d1b957b4e39cbe97d77
sha1sum: 2255311bc6c27e127e075040eb1f98649b5ce8be
http://kb.vmware.com/kb/2009160
ESXe350-201203401-O-SG contains ESXe350-201203401-I-SG
ESX 4.1
-------
update-from-esx4.1-4.1_update01
md5sum: 2d81a87e994aa2b329036f11d90b4c14
sha1sum: c2bfc0cf7ac03d24afd5049ddbd09a865aad1798
http://kb.vmware.com/kb/1027904
update-from-esx4.1-4.1_update01 contains ESX410-201101201-SG
ESX 4.0
-------
ESX400-201203001
md5sum: 02b7e883e8b438b83bf5e53a1be71ad3
sha1sum: 34734a8edba225a332731205ee2d6575ad9e1c88
http://kb.vmware.com/kb/2011767
ESX400-201203001 contains ESX400-201203401-SG and ESX400-201203407-SG
ESX 3.5
-------
ESX350-201203401-SG
md5sum: 07743c471ce46de825c36c2277ccd500
sha1sum: cb77e6f820e1015311bf2386b240fd84f0ad04dd
http://kb.vmware.com/kb/2009155
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4348
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862
-----------------------------------------------------------------------
6. Change log
2012-03-29 VMSA-2012-0006
Initial security advisory in conjunction with the release of patches
for ESX 4.0 on 2012-03-29.
2012-04-26 VMSA-2012-0006.1 Updated security advisory after the release
of
ESX 4.1 patch on 2012-04-26
-----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2012 VMware Inc. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFPmi0NDEcm8Vbi9kMRAuxTAKDVBDUJkmeriVqgGxkZ5magNJcSNwCeOCLG
HBnJwBfCBWZv1wpaM4HFiOo=
=mJVE
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT5347+4yVqjM2NGpAQLcgRAAjRsG70gtp1aSZgGtsry7Jn9o154jrEdG
7Iynb87UdJD8hvTRmO9XoR9HaSi3I/4UvB8dsVom3OR1LZ4q1VPKcxihYZd7Pv+y
8MT1vPS5CygFxvvYMg+tRm4OEF8cImw94z/kBQ5HTj100WNseg5SBzN/1RwGkVzk
HIs4xUQ9xUWlZZMYQ/dIKrfxfg1zvRaYwTYtAx7z/Ah6vR4rxIeLF9wzGe6ueMUI
DOCji589oREdQMNxz7my4a/qUSMY8Wb33jYxHFx0Ym6e+x+ryG2gKgGL+sBjFbHh
U1cFnJM1V2nl4rrK0tJvxUsITp7+0yiQF1C1lsdFGTWGUM8ixuIuupL6YhW8suTj
ROxvv2DtWOBVCpn9G98j18emY0h37kpdBDL/zbGdxCxIBHCBzgxxBX2hio6fhx8g
XGJtDEfShT3hO7xZ6Q0CdWZQ2ysP7PEg3GR38h8lFSejbaD2USHNPYLlmGH8EtYt
p2+q0eIxWUEGtiWumnxuOHRHDyyqCPCW5xX+OF1e9D6n5PcLAp73WTT9jYDcR0Mc
XcHWgtP4qqbebLu3pGbPEsubMDtLNm6HvD6VqmoHC9t9RgiNgrj0rdYfA9VuR61D
yzsLlC8RbA9ArtJxfJCUE08Mf/mGH4g3/SdBR0aBhCjdycXoMWCFydhj++5+FpPp
Kyhc84Z68FY=
=Fn9E
-----END PGP SIGNATURE-----
|