Date: 16 December 2009
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1644
VMware vCenter, ESX patch and vCenter Lab Manager releases
address cross-site scripting issues
16 December 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ESX 4.0 without patch ESX400-200911223-UG
vCenter 4.0 GA
VMware Server 2.0.2
VMware Lab Manager 2.x
VMware vCenter Lab Manager 3.x
VMware vCenter Lab Manager 4.0
VMware vCenter Stage Manager 1.x
Publisher: VMWare
Operating System: Windows
Linux variants
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2009-3731
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2009-0017
Synopsis: VMware vCenter, ESX patch and vCenter Lab Manager
releases address cross-site scripting issues
Issue date: 2009-12-15
Updated on: 2009-12-15 (initial release of advisory)
CVE numbers: CVE-2009-3731
- - -----------------------------------------------------------------------
1. Summary
VMware vCenter and ESX update releases address cross-site scripting
issues in the Help functionality of WebAccess. A vCenter Lab Manager
release addresses the same issues which are present in the online
Help functionality of Lab Manager and Stage Manager.
2. Relevant releases
ESX 4.0 without patch ESX400-200911223-UG
vCenter 4.0 GA
VMware Server 2.0.2
VMware Lab Manager 2.x
VMware vCenter Lab Manager 3.x
VMware vCenter Lab Manager 4.0
VMware vCenter Stage Manager 1.x
3. Problem Description
a. WebWorks Help - Cross-site scripting vulnerability
WebWorks Help is an output format that allows online Help to be
delivered on multiple platforms and browsers, which makes it easy
to publish information on the Web or on an enterprise intranet.
WebWorks Help is used for creating the online help pages that are
available in VMware WebAccess, Lab Manager and Stage Manager.
WebWorks Help doesn't sufficiently sanitize incoming requests which
may result in cross-site scripting vulnerabilities in applications
that are built with WebWorks Help.
Exploitation of these vulnerabilities in VMware products requires
tricking a user to click on a malicious link or to open a malicious
web page while they are logged in into vCenter, ESX or VMware
Server using WebAccess, or logged in into Stage Manager or Lab
Manager.
Successful exploitation can lead to theft of user credentials. These
vulnerabilities can be exploited remotely only if the attacker has
access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
Client-side protection measures included with current browsers are not
always able to prevent these attacks from being executed.
VMware would like to thank Daniel Grzelak and Alex Kouzemtchenko of
stratsec (www.stratsec.net) for finding and reporting this issue.
VMware would also like to thank Ben Allums of WebWorks.com for working
on the remediation of this issue with us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2009-3731 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.0 Windows Update 1
VirtualCenter 2.5 Windows not affected
VirtualCenter 2.0.2 Windows not affected
Workstation any any not affected
Player any any not affected
Server 2.0.2 any VMware KB 1016594
Server 1.0 any not affected
ACE any any not affected
Fusion any any not affected
ESXi any ESXi not affected
ESX 4.0 ESX ESX400-200911223-UG
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 not affected
Lab Manager any any Lab Manager 4.0.1
Stage Manager any any Lab Manager 4.0.1
Note: The remediation provided by WebWorks.com is not applicable
to VMware products.
4. Solution
Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.
VMware vCenter Server 4 Update 1
--------------------------------
Version 4.0 Update 1
Build Number 208156
Release Date 2009/11/19
Type Product Binaries
http://downloads.vmware.com/download/download.do?downloadGroup=VC40U1
VMware vCenter Server 4 and modules
File size: 1.8 GB
File type: .iso
MD5SUM: 057d55b32eb27fe5f3e01bc8d3df3bc5
SHA1SUM: c90134418c2e4d3d6637d8bee44261300ad95ec1
VMware vCenter Server 4 and modules
File size: 1.5 GB
File type: .zip
MD5SUM: f843d9c19795eb3bc5a77f5c545468a8
SHA1SUM: 9a7abd8e70bd983151e2ee40e1b3931525c4480c
VMware vSphere Client and Host Update Utility
File size: 113.8 MB
File type: .exe
MD5SUM: 6cc6b2c958e7e9529c284e48dfae22a9
SHA1SUM: f4c19c63a75d93cffc57b170066358160788c959
VMware vCenter Converter BootCD
File size: 98.8 MB
File type: .zip
MD5SUM: 3df94eb0e93de76b0389132ada2a3799
SHA1SUM: 5d7c04e4f9f8ae25adc8de5963fefd8a4c92464c
VMware vCenter Converter CLI (Linux)
File size: 36.9 MB
File type: .tar.gz
MD5SUM: 3766097563936ba5e03e87e898f6bd48
SHA1SUM: 36d485bdb5eb279296ce8c8523df04bfb12a2cb4
ESX 4.0
-------
ESX400-200911223-UG (Update 1a)
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-166-20091202-254
879/ESX-4.0.0-update01a.zip
md5sum: 99c1fcafbf0ca105ce73840d686e9914
sha1sum: aa8a23416271bc28b6b8f6bdbe00045e36314ebb
http://kb.vmware.com/kb/1014842
To install an individual bulletin use esxupdate with the -b option.
esxupdate --bundle=ESX-4.0.0-update01.zip -b ESX400-200911223-UG
VMware Server 2.0.2
-------------------
http://kb.vmware.com/kb/1016594
Stage Manager
-------------
http://www.vmware.com/products/sm/faq.html
Lab Manager 4.0.1
-----------------
http://downloads.vmware.com/download/download.do?downloadGroup=VLM401
md5sum: b4d8f5637eaea59f028eafe62d0366ab
sha1sum: a437726b45dce0a72fb5cbd3996a6d6f84e6c8df
http://www.vmware.com/support/labmanager40/doc/releasenotes_labmanager401.h
tml
5. References
http://www.webworks.com/Security/2009-0001
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3731
- - ------------------------------------------------------------------------
6. Change log
2009-12-15 VMSA-2009-0017
Initial security advisory after publication of information by third
party vendor, WebWorks.com, on 2009-12-15.
- - -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2009 VMware Inc. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFLJ9Z2S2KysvBH1xkRAiiOAJ4+TWKnhkLYDiDargvqosRU6RHn1ACeJtXe
oEsepbtYQRxE45xLZgJnaAQ=
=F9Pg
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLKEmeNVH5XJJInbgRArA+AJ9jKrTx0bQvOlQTxaoIsKEYeUNg+ACcDmHd
V8FbYvE4TY4mNcJdeK35XLg=
=+7Ur
-----END PGP SIGNATURE-----
|