Date: 18 March 2008
References: AL-2006.0074 AL-2006.0084 ESB-2008.0286 ESB-2012.1195
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2008.0068 AUSCERT Advisory
[Win][Linux]
VMware Server and Workstation Multiple Vulnerabilities
18 March 2008
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: VMware Server 1.0.4 and earlier
VMware Workstation 6.0.2 and earlier
Operating System: Windows
Linux variants
Impact: Increased Privileges
Denial of Service
Create Arbitrary Files
Modify Arbitrary Files
Inappropriate Access
Reduced Security
Access: Remote/Unauthenticated
Existing Account
CVE Names: CVE-2006-4339 CVE-2006-2940 CVE-2006-2937
CVE-2006-4343
Member content until: Tuesday, April 15 2008
Ref: AL-2006.0074
AL-2006.0084
OVERVIEW:
VMware Server 1.0.5 and Workstation 6.0.3 have been released
fixing mulitple security vulnerabilities.
IMPACT:
Security issues fixed in VMware Server 1.0.5 include:
o "A security vulnerability in OpenSSL 0.9.7j could make
it possible to forge a RSA key signature. VMware Server
1.0.5 upgrades OpenSSL to version 0.9.7l to avoid this
vulnerability. bug 216497), RSA Signature Forgery
(CVE-2006-4339)" [1]
o "An internal security audit determined that a malicious
user could attain and exploit LocalSystem privileges
by causing the authd process to connect to a named
pipe that is opened and controlled by the malicious
user. In this situation, the malicious user could
successfully impersonate authd and attain privileges
under which authd is executing. bug 235420, (Foundstone
CODE-BUG-H-001)" [1]
o "An internal security audit determined that a malicious
user could exploit an insecurely created named pipe
object to escalate priviliges or create a denial-of-service
attack. bug 235833, (Foundstone CODE-BUG-H-002)" [1]
o "This release updates the libpng library to version
1.2.22 to remove various security vulnerabilities. bug
237049" [1]
o "A vulnerability in VMware Workstation running on
Windows allowed complete access to the host's file
system from a guest machine. This access included the
ability to create and modify executable files in
sensitive locations. bug 240000, (CORE-2007-0930)" [1]
o "The authd process read and honored the vmx.fullpath
variable in the user-writable file config.ini, creating
a security vulnerability. bug 241648" [1]
o "The config.ini file could be modified by non-administrator
to change the VMX launch path. This created a vulnerability
that could be exploited to escalate a user's privileges.
bug 241677" [1]
Security issues fixed in VMware Workstation 6.0.3 include:
o "On Windows hosts, if you have configured and enabled
a shared folder, it is possible for an attacker to
write arbitrary content from a guest system to arbitrary
locations on the host system (CORE-2007-0930). (bug
200360)" [2]
o "An internal security audit determined that a malicious
user could attain and exploit LocalSystem privileges
by causing the authd process to connect to a named
pipe that is opened and controlled by the malicious
user. (Foundstone CODE-BUG-H-001) In this situation,
the malicious user could successfully impersonate
authd and attain privileges under which Authd is
executing. (bug 193049)" [2]
o "This release updates the libpng library to version
1.2.22 to remove various security vulnerabilities. (bug
224453)" [2]
o "This release updates the OpenSSL library to address
various vulnerabilities to denial-of-service attacks
and buffer overflows. The Common Vulnerabilities and
Exposures project (cve.mitre.org) assigned the following
names to these issues: CVE-2006-2940, CVE-2006-2937,
CVE-2006-4343. (bug 216493)" [2]
o "Workstation 6.0.2 allowed anonymous console access
to the guest by means of the VIX API. This release,
Workstation 6.0.3, disables this feature. This means
that the Eclipse Integrated Virtual Debugger and the
Visual Studio Integrated Virtual Debugger will now
prompt for user account credentials to access a guest.
(bug 187785)" [2]
MITIGATION:
Upgrade to VMware Server to version 1.0.5 and Workstation
to version 6.0.3.
REFERENCES:
[1] VMware Server Release Notes
http://www.vmware.com/support/server/doc/releasenotes_server.html
[2] VMware Workstation 6.0 Release Notes
http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR98f4Ch9+71yA2DNAQLJBwQAhGCPMMq7zDB6g7y797u5Yty/tsiC7/3q
doNrHcHdTyF/vcEDDBfgt9L9SDd5ntLoyjYBCasGMgCyivcm0C/kG+qhDyPB0JvJ
BSuqKgwlUst6vGnF5mmxK/FhHG/w6Qz/YylxfEJPUwoV0nO+lVor/TAh/jGXh4r4
ZMdPb6xxQ7w=
=Rm9P
-----END PGP SIGNATURE-----
|