copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
»
Security Bul...
»
AusCERT Exte...
» ESB-2012.0371 - [Win][VMware ESX][UNIX/Linux] VMware...
ESB-2012.0371 - [Win][VMware ESX][UNIX/Linux] VMware products: Increased privileges - Existing account
Date:
13 April 2012
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0371 Vulnerability addressed in VMware vCenter, Workstation, Player, Fusion, ESXi and ESX 13 April 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware ESXi VMware ESX VMware vCenter VMware Workstation VMware Player VMware Fusion Publisher: VMware Operating System: Windows UNIX variants (UNIX, Linux, OSX) VMWare ESX Server Impact/Access: Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2012-1518 Original Bulletin: http://www.vmware.com/security/advisories/VMSA-2012-0007.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2012-0007 Synopsis: VMware hosted products and ESXi/ESX patches address privilege escalation Issue date: 2012-04-12 Updated on: 2012-04-12 (initial advisory) CVE numbers: CVE-2012-1518 ----------------------------------------------------------------------- 1. Summary VMware hosted products and ESXi/ESX patches address privilege escalation. 2. Relevant releases Workstation 8.0.1 and earlier Player 4.0.1 and earlier Fusion 4.1.1 and earlier ESXi 5.0 without patch ESXi500-201203102-SG ESXi 4.1 without patch ESXi410-201201402-BG ESXi 4.0 without patch ESXi400-201203402-BG ESXi 3.5 without patch ESXe350-201203402-T-BG ESX 4.1 without patch ESX410-201201401-SG ESX 4.0 without patch ESX400-201203401-SG ESX 3.5 without patch ESX350-201203402-BG 3. Problem Description a. VMware Tools Incorrect Folder Permissions Privilege Escalation The access control list of the VMware Tools folder is incorrectly set. Exploitation of this issue may lead to local privilege escalation on Windows-based Guest Operating Systems. VMware would like to thank Tavis Ormandy for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1518 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch * ============= ======== ======= ================= vCenter any Windows not affected Workstation 8.x any 8.0.2 or later Player 4.x any 4.0.2 or later Fusion 4.x Mac OS/X 4.1.2 or later ** ESXi 5.0 ESXi ESXi500-201203102-SG ESXi 4.1 ESXi ESXi410-201201402-BG ESXi 4.0 ESXi ESXi400-201203402-BG ESXi 3.5 ESXi ESXe350-201203402-T-BG ESX 4.1 ESX ESX410-201201401-SG ESX 4.0 ESX ESX400-201203401-SG ESX 3.5 ESX ESX350-201203402-BG * Notes on updating VMware Guest Tools: After the update or patch is applied, VMware Guest Tools must be updated in any pre-existing Windows-based Guest Operating System. Windows-Based Virtual Machines that have moved to Workstation 8, Player 4 or Fusion 4 from a lower version of Workstation, Player or Fusion are affected. ** The built-in update feature of Fusion can be used immediately to upgrade to 4.1.2. The Web download of Fusion 4.1.2 will be available on 2012-04-14. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Workstation 8.0.2 ----------------- http://www.vmware.com/go/downloadworkstation Release notes: https://www.vmware.com/support/ws80/doc/releasenotes_workstation_802.html VMware Workstation for Windows 32-bit and 64-bit with VMware Tools md5sum: 912df11644fccac439b6fc5f80af5cdb sha1sum: 67af885d20a30f6074e2511f89ffff4fee321880 VMware Workstation for Linux 32-bit with VMware Tools md5sum: 121b026836091e6d06b09588afbbb4ed sha1sum: 94c4d04b7b24ae03ead29f17445d576173d40bb4 VMware Workstation for Linux 64-bit with VMware Tools md5sum: 0f41ba61117704201cfe99892405e179 sha1sum: 6ad52e8f0768e279639cd41abeda4f9358b40d0f Player 4.0.2 ------------- http://www.vmware.com/go/downloadplayer Release notes: https://www.vmware.com/support/player40/doc/releasenotes_player402.html VMware Player for Windows 32-bit and 64-bit md5sum: 8ec9f7cb9556bad9c910a8a9794b3b57 sha1sum: d3613399fc25273ea51ead82ad8bf359f7fda6d1 VMware Player for Linux 32-bit md5sum: 9fd4bb474a47d5c538e5e806f91e5a40 sha1sum: a3973dd32a1a39644d30532dc4cb4c6216869415 VMware Player for Linux 64-bit md5sum: 5ba343c2c0392970ecceefa8397ac233 sha1sum: d417eb8538660db4ef07271fcc08152a3494bb58 Fusion 4.1.2 ------------ http://www.vmware.com/go/downloadfusion Release Notes: http://www.vmware.com/support/fusion4/doc/releasenotes_fusion_412.html VMware Fusion (for Intel-based Macs) md5sum: 1a40b9792306cbf4664dd72ac79baecf sha1sum: e4a9c6d60887ea8ff0fc7e770c4922cc7004b3e9 ESXi and ESX ------------ http://downloads.vmware.com/go/selfsupport-download ESXi 5.0 -------- update-from-esxi5.0-5.0_update01 md5sum: 55c25bd990e2881462bc5b66fb5f6c39 sha1sum: ecd871bb09b649c6c8c13de82d579d4b7dcadc88 http://kb.vmware.com/kb/2010823 update-from-esxi5.0-5.0_update01 contains ESXi500-201203102-SG ESXi 4.1 -------- ESXi410-201201001 md5sum: bdf86f10a973346e26c9c2cd4c424e88 sha1sum: cc0b92869a9aae4f5e0e5b81bee109bcd7da780f http://kb.vmware.com/kb/2009144 ESXi410-201201001 contains ESXi410-201201402-BG ESXi 4.0 -------- ESXi400-201203001 md5sum: 8054b2e7c9cd024e492ac5c1fb9c1e72 sha1sum: 6150fee114d70603ccae399f42b905a6b1a7f3e1 http://kb.vmware.com/kb/2011768 ESXi400-201203001 contains ESXi400-201203402-BG ESXi 3.5 -------- ESXe350-201203401-O-SG md5sum: 44124458684d6d1b957b4e39cbe97d77 sha1sum: 2255311bc6c27e127e075040eb1f98649b5ce8be http://kb.vmware.com/kb/2009161 ESXe350-201203401-O-SG contains ESXe350-201203402-T-BG ESX 4.1 ------- ESX410-201201001 md5sum: 16df9acd3e74bcabc2494bc23ad0927f sha1sum: 1066ae1436e1a75ba3d541ab65296cfb9ab7a5cc http://kb.vmware.com/kb/2009080 ESX410-201201001 contains ESX410-201201401-SG ESX 4.0 ------- ESX400-201203001 md5sum: 02b7e883e8b438b83bf5e53a1be71ad3 sha1sum: 34734a8edba225a332731205ee2d6575ad9e1c88 http://kb.vmware.com/kb/2011767 ESX400-201203001 contains ESX400-201203401-SG ESX 3.5 ------- ESX350-201203402-BG md5sum: d10cf5d4790a5750cdc6702da29bfdbd sha1sum: 10f4800205cd2ecf695ff15eb142a0c8ed98665c http://kb.vmware.com/kb/2009156 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1518 ----------------------------------------------------------------------- 6. Change log 2012-04-12 VMSA-2012-0007 Initial security advisory in conjunction with the release of Fusion 4.1.2 on 2012-04-12. ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2012 VMware Inc. All rights reserved. - -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFPh0HZDEcm8Vbi9kMRAkSIAJ45KC6+pyCSaxmvoVzCHGaUbiA9LACfRJxh Ihmz1jPfgSuBDTv/054+KcQ= =X+xD - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT4eap+4yVqjM2NGpAQLkeg/9Hgufctq3nZ4zV5AjOZw++keoZCETlCTu sBdjvMoINwFht1JXKdQ6hxOhRTMFaKJxIfpMnzqmRaGUUQRj6fJnX4HrLIaoHdoQ eKmml/HMhpfG0ElzfJ73MWRBV/XPDQEpdx7Un127qtbLAHYZfug1JW8TV+HJIVNU gj3boQN5PBozal+qteyDLAHqiVAbC5N2yeNZEwHPU3yXMg5iCapTKTF1QrZ2EXOg A+jMbK/dXzM0Po7d7zlSV5pP0OT633AVsWjHOeflmqC0tiQzADpo4B6My3yl/jB1 A/glUeNqvBkpFy3lf/eOHwmnPnlNMDJi0qIth6nLf4SGTPbdgnZRjqJaQ0Q/s4nK oHC4FEWTpsZVLup4ONM51nB2SbWM6YuhfB/gjrdPOYYRpPRbH+eLdF0TtnPce0S/ e4pqcRXVzpoYk9s3Oq15NuIlodVzD2EGxg2dyK6JvQQPtj09cYp+hS8d1RXr3uac wimj+/kSdtnuM8scilwCxBEXhGMDKQSizApaS4U5GSBZqUTBFaq8c9VmkgdkVByL 5CdsogXXfPi6gPkUrpyd15lROcPCrFRZDgEzEi4W9RTSpX/PPf748UQ71/ze4f5g 7KsvG9iOCvKvwJczyU2bRThxCmza/2Rne2DRy+Wy9wgcc4J0MP787mITiyu3pNkQ uN/gSi/sqxI= =C+tf -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1980&it=15719