copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
»
Security Bul...
»
AusCERT Exte...
» ESB-2010.0871.2 - UPDATE [Win][UNIX/Linux] VMWare Wo...
ESB-2010.0871.2 - UPDATE [Win][UNIX/Linux] VMWare Workstation, Player and ACE Managerment Server: Multiple vulnerabilities
Date:
21 September 2011
References
:
ASB-2010.0081
ESB-2010.0277
ESB-2010.0621
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2010.0871.2 VMware Workstation, Player, and ACE address several security issues 21 September 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware Workstation 7.1.1 and earlier VMware Player 3.1.1 and earlier VMware ACE Management Server 2.7.1 and earlier Publisher: VMWare Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2010-3277 CVE-2010-2249 CVE-2010-1205 CVE-2010-0434 CVE-2010-0425 CVE-2010-0205 Reference: ASB-2010.0081 ESB-2010.0621 ESB-2010.0277 Revision History: September 21 2011: libpng has been updated in Workstation 6.5.5 and Player 2.5.5 September 27 2010: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2010-0014.1 Synopsis: VMware Workstation, Player, and ACE address several security issues. Issue date: 2010-09-23 Updated on: 2011-09-19 CVE numbers: CVE-2010-3277 CVE-2010-1205 CVE-2010-0205 CVE-2010-2249 CVE-2010-0434 CVE-2010-0425 - - ------------------------------------------------------------------------ 1. Summary VMware Workstation and Player address a potential installer security issue and security issues in libpng. VMware ACE Management Server (AMS) for Windows updates Apache httpd. 2. Relevant releases VMware Workstation 7.1.1 and earlier, VMware Workstation 6.5.4 and earlier, VMware Player 3.1.1 and earlier, VMware Player 2.5.4 and earlier, VMware ACE Management Server 2.7.1 and earlier, Note: VMware Server was declared End Of Availability on January 2010, support will be limited to Technical Guidance for the duration of the support term. 3. Problem Description a. VMware Workstation and Player installer security issue The Workstation 7.x and Player 3.x installers will load an index.htm file located in the current working directory on which Workstation 7.x or Player 3.x is being installed. This may allow an attacker to display a malicious file if they manage to get their file onto the system prior to installation. The issue can only be exploited at the time that Workstation 7.x or Player 3.x is being installed. Installed versions of Workstation and Player are not affected. The security issue is no longer present in the installer of the new versions of Workstation 7.x and Player 3.x (see table below for the version numbers). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-3277 to this issue. VMware would like to thank Alexander Trofimov and Marc Esher for independently reporting this issue to VMware. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 7.x any 7.1.2 build 301548 or later * Workstation 6.5.x any not affected Player 3.x any 3.1.2 build 301548 or later * Player 2.5.x any not affected AMS any any not affected Server any any not affected Fusion any Mac OS/X not affected ESXi any ESXi not affected ESX any ESX not affected * Note: This only affects the installer, if you have a version of Workstation or Player installed you are not vulnerable. b. Third party libpng updated to version 1.2.44 A buffer overflow condition in libpng is addressed that could potentially lead to code execution with the privileges of the application using libpng. Two potential denial of service issues are also addressed in the update. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-1205, CVE-2010-0205, CVE-2010-2249 to these issues. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 7.1.x any 7.1.2 build 301548 or later Workstation 6.5.x any 6.5.5 Build 328052 or later Player 3.1.x any 3.1.2 build 301548 or later Player 2.5.x any 2.5.5 Build 328052 or later AMS any any not affected Server any any affected, no patch planned Fusion any Mac OS/X not affected ESXi any ESXi not affected ESX any ESX not affected c. VMware ACE Management Server (AMS) for Windows updates Apache httpd version 2.2.15. A function in Apache HTTP Server when multithreaded MPM is used does not properly handle headers in subrequests in certain circumstances which may allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request. The Apache mod_isapi module can be forced to unload a specific library before the processing of a request is complete, resulting in memory corruption. This vulnerability may allow a remote attacker to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0434 and CVE-2010-0425 to the issues addressed in this update. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation any any not affected Player any any not affected AMS any Windows 2.7.2 build 301548 or later AMS any Linux affected, patch pending * Server any any not affected Fusion any Mac OS/X not affected ESXi any ESXi not affected ESX any ESX not affected * Note CVE-2010-0425 is not applicable to AMS running on Linux 4. Solution Please review the patch/release notes for your product and version and verify the md5sum and/or the sha1sum of your downloaded file. VMware Workstation 7.1.2 ------------------------ www.vmware.com/download/ws/ Release notes: downloads.vmware.com/support/ws71/doc/releasenotes_ws712.html Workstation for Windows 32-bit and 64-bit with VMware Tools md5sum: 2e9715ec297dc3ca904ad2707d3e2614 sha1sum: 55b2b99f67c3dacd402fb9880999086efd264e7a Workstation for Windows 32-bit and 64-bit without VMware Tools md5sum: 066929f59aef46f11f4d9fd6c6b36e4d sha1sum: def776a28ee1a21b1ad26e836ae868551fff6fc3 Workstation 6.5.5 ----------------- http://www.vmware.com/download/ws/ Release notes: http://downloads.vmware.com/support/ws65/doc/releasenotes_ws655.html Workstation for Windows 32-bit and 64-bit md5sum: 7bff9b621529efb0de808a45e7821274 sha1sum: 41af7a9a78717cb85dd30b4d830e99fd5de49cc1 Workstation for Linux 32-bit (rpm) md5sum: 17c3f1a0e6ccf2b1e224a5d75c845a47 sha1sum: 3027b4e2215fae84fa9311f8cd762fee17e89df0 Workstation for Linux 32-bit (bundle) md5sum: 7c24811fb999204f144d8b9f50e9fcae sha1sum: 18a05e6f4f772b7f0563dbd17596b66d1db8e9fa Workstation for Linux 64-bit (rpm) md5sum: c25c2535d8091c4d46701ed081347901 sha1sum: f4356bc224ea9805dac2d4b677f88a2f4220353e Workstation for Linux 64-bit (bundle) md5sum: 7012bdaf182d256672ff2eb24b00a40f sha1sum: 58ecb2a494d4c7cc663e2028cf76c13d458fecac VMware Player 3.1.2 ------------------- www.vmware.com/download/player/ Release notes: downloads.vmware.com/support/player31/doc/releasenotes_player312.html VMware Player for Windows 32-bit and 64-bit md5sum: 3f289cb33af5e425c92d8512fb22a7ba sha1sum: bf67240c1f410ebeb8dcb4f6d7371334bf9a6b70 VMware Player for Linux 32-bit md5sum: 11e3e3e8753e1d9abbbb92c4e3c1dfe8 sha1sum: dd1dbcdb1f4654eefc11472b68934dcb69842749 VMware Player for Linux 64-bit md5sum: 2ab08e0d4050719845a64d334ca15bb1 sha1sum: f024ad84ec831fce8667dfa9601851da5d9fa59c VMware Player 2.5.5 ------------------- www.vmware.com/download/player/ Release notes: https://www.vmware.com/support/player25/doc/releasenotes_player255.html VMware Player 2.5.5 for Windows 32-bit and 64-bit md5sum: 780b2c4e2b1610dea3090b1cd81d5ad7 sha1sum: f6c451a11a4fe66e5a465de960de1358e83b8314 VMware Player 2.5.5 for Linux 32-bit (rpm) md5sum: 9e13ee3904bd2377ffb8cfa66460fe92 sha1sum: 2482acad19f6b23cf0c236d1ce87d4805b7b0e6c VMware Player 2.5.5 for Linux 32-bit (bundle) MD5SUM: 46dcfe9343f688d60e249d9e9c3853a4 SHA1SUM: abfdeaf2cac83c630662607e7b95439367376abf VMware Player 2.5.5 for Linux 64-bit (rpm) MD5SUM: 52d6dcdeed9e564c8cfe8c35cec885f0 SHA1SUM: dbaa6dac55f592b9c6b16d7505796a2580836f4b VMware Player 2.5.5 for Linux 64-bit (bundle) md5sum: 6c9a677820010ccd20f829cb5d2c057b sha1sum: ff6eccba3125229e8adbc1cb96764c2f116d89c5 VMware ACE Management Server 2.7.2 ---------------------------------- downloads.vmware.com/d/info/desktop_downloads/vmware_ace/2_7 Release notes: downloads.vmware.com/support/ace27/doc/releasenotes_ace272.html ACE Management Server for Windows md5sum: 02f0072b8e48a98ed914b633f070d550 sha1sum: 94a68eac4a328d21a741879b9d063227c0dc1ce4 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3277 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2249 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0434 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0425 - - ------------------------------------------------------------------------ 6. Change log 2010-09-23 VMSA-2010-0014 Initial security advisory after release of Workstation 7.1.2, Player 3.1.2 and ACE Management Server 2.7.2 on 2010-09-23 2011-09-19 VMSA-2010-0014.1 Updated security advisory to reflect that the third party library libpng has been updated in Workstation 6.5.5 and Player 2.5.5 released on 2010-12-02. - - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: kb.vmware.com/kb/1055 VMware Security Center www.vmware.com/security VMware Security Advisories www.vmware.com/security/advisories VMware security response policy www.vmware.com/support/policies/security_response.html General support life cycle policy www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy www.vmware.com/support/policies/eos_vi.html - -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFOeSpODEcm8Vbi9kMRAlfJAKCCOUAqrLMKbXxVHBudzID1oQPwRQCg0jKN HRJOmuZ+O79hf/7/paGLKLE= =7NU4 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTnlRbu4yVqjM2NGpAQL5PQ//SIWTzSqPQY8FLkHGLxMCUaWPChfq8iZV jGBsMJ0KCbuF0eCp8VFcvenNDSx8KasJT3xAJQJ6RKWKtxegl7u4WX+l0SS28++a qg9XkfzavYBHWN48ol0y5yZ6z/FGR8UogDWl9fRcl7wuyg06T8OKEoeAhFQGQGoh 1RmwdBDTwr0UJa7VAT9lKjkOArae3VsxXaf8pH81uzH1vZ8AICd/8L3ZDq24kt6Z lm4ih4v13vvngrGQCmCC+4hKK4SAFWlPGTaHF3aypeUDW1xajdvWsBKeHSNVayr6 ioJKCsMO8f5HPDug+sPtHReZEv4YOOYEhbCsX8LU7thWvyn54L2XV5+C+6igUv1q ZFrA4wKW33Ce0Hw75AM8vB4rCbLgZECp5/mlbpUGRjofyJqvyd6o161XB4zvrBG6 OFXlPdB7O5COyxwBnfMO+kreu/z1dJzfGm/zKIBJHK9rDF+SOna8qD8UmY0E2GzO 73GVeMGzowJxHlY66Ed6UPKvdFZAbTZODXLrf8ESTScGab0gtKNfy97H1TDodQLQ FlLwnOglG4MoLPYbhA5WMgNUlzc0g7ikUKKNJHR6C9forlGW0BTaMSkPQONGgyVE 67Ybsfm0ah8uBGBssNYXWO269t1kSGzJ2mC1fxgH2VyY0v7j0tWMViyZNfCq0MSL HRsnsgBntkc= =9xa1 -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1980&it=13403