Date: 15 June 2012
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0556
VMware hosted products and ESXi and ESX patches address security issues
15 June 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware Workstation
VMware Player
VMware Fusion
VMware ESXi
VMware ESX
Publisher: VMware
Operating System: VMWare ESX Server
Windows
Mac OS X
Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2012-3289 CVE-2012-3288
Original Bulletin:
http://www.vmware.com/support/support-resources/advisories/VMSA-2012-0011.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2012-0011
Synopsis: VMware hosted products and ESXi and ESX patches address
security issues
Issue date: 2012-06-14
Updated on: 2012-06-14 (initial advisory)
CVE numbers: CVE-2012-3288, CVE-2012-3289
-----------------------------------------------------------------------
1. Summary
VMware Workstation, Player, Fusion, ESXi and ESX patches address
security issues.
2. Relevant releases
Workstation 8.0.3
Workstation 7.1.5
Player 4.0.3
Player 3.1.5
Fusion 4.1.2
ESXi 5.0 without patch ESXi500-201206401-SG
ESXi 4.1 without patch ESXi410-201206401-SG
ESXi 4.0 without patch ESXi400-201206401-SG
ESXi 3.5 without patch ESXe350-201206401-I-SG
ESX 4.1 without patch ESX410-201206401-SG
ESX 4.0 without patch ESX400-201206401-SG
ESX 3.5 without patch ESX350-201206401-SG
3. Problem Description
a. VMware Host Checkpoint file memory corruption
Input data is not properly validated when loading Checkpoint files.
This may allow an attacker with the ability to load a specially
crafted Checkpoint file to execute arbitrary code on the host.
Workaround
- None identified
Mitigation
- Do not import virtual machines from untrusted sources.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-3288 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
Workstation 8.x any 8.0.4 or later
Workstation 7.x any 7.1.6 or later
Player 4.x any 4.0.4 or later
Player 3.x any 3.1.6 or later
Fusion 4.x Mac OS/X 4.1.3 or later
ESXi 5.0 ESXi ESXi500-201206401-SG
ESXi 4.1 ESXi ESXi410-201206401-SG
ESXi 4.0 ESXi ESXi400-201206401-SG
ESXi 3.5 ESXi ESXe350-201206401-I-SG
ESX 4.1 ESX ESX410-201206401-SG
ESX 4.0 ESX ESX400-201206401-SG
ESX 3.5 ESX ESX350-201206401-SG
b. VMware Virtual Machine Remote Device Denial of Service
A device (e.g. CD-ROM, keyboard) that is available to a virtual
machine while physically connected to a system that does not run the
virtual machine is referred to as a remote device.
Traffic coming from remote virtual devices is incorrectly handled.
This may allow an attacker who is capable of manipulating the
traffic from a remote virtual device to crash the virtual machine.
Workaround
- None identified
Mitigation
- Users need administrative privileges on the virtual machine
in order to attach remote devices.
- Do not attach untrusted remote devices to a virtual machine.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-3289 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
Workstation 8.x any 8.0.4 or later
Workstation 7.x any not affected
Player 4.x any 4.0.4 or later
Player 3.x any not affected
Fusion 4.x Mac OS/X not affected
ESXi 5.0 ESXi ESXi500-201206401-SG
ESXi 4.1 ESXi ESXi410-201206401-SG
ESXi 4.0 ESXi ESXi400-201206401-SG
ESXi 3.5 ESXi ESXe350-201206401-I-SG
ESX 4.1 ESX ESX410-201206401-SG
ESX 4.0 ESX ESX400-201206401-SG
ESX 3.5 ESX ESX350-201206401-SG
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
Workstation 8.0.4
-----------------
http://www.vmware.com/go/downloadworkstation
Release notes:
https://www.vmware.com/support/ws80/doc/releasenotes_workstation_804.html
VMware Workstation for Windows 32-bit and 64-bit with VMware Tools
md5sum: 9c74d5468d693714d2b6c616fd416e54
sha1sum: d542e1ac1a4df062ed6029fabf5f30750234a3b9
VMware Workstation for Linux 32-bit with VMware Tools
md5sum: 1c340ba2cef564fd52460cee46bfaa06
sha1sum: 8d99595b5f7f020e51aad8ba373b0f09e8d0aba2
VMware Workstation for Linux 64-bit with VMware Tools
md5sum: de0ea94362f9c044bb4a03682dee2d05
sha1sum: 04aa91f0bb4f51b024ed88939ecd9bb6d7efefe4
Workstation 7.1.6
-----------------
http://www.vmware.com/go/downloadworkstation
Release notes:
https://www.vmware.com/support/ws71/doc/releasenotes_ws716.html
VMware Workstation for Windows 32-bit and 64-bit with VMware Tools
md5sum: f7856421babd716dace2f0250ae271f7
sha1sum: 9eaf4b17afec36b8a166bad81be851bd8cfda709
VMware Workstation for Linux 32-bit with VMware Tools
md5sum: 18cc162a88d66a78a0114550517cd42d
sha1sum: 5a1ea9c841a2f45c2e2ed07a30b01c18c85f2133
VMware Workstation for Linux 64-bit with VMware Tools
md5sum: c11e4e162fc128cbfe629c8fb60ea733
sha1sum: 627698ac32d039bcafc117f0fb71d7e666ac0c2e
Player 4.0.4
------------
http://www.vmware.com/go/downloadplayer
Release notes:
https://www.vmware.com/support/player40/doc/releasenotes_player404.html
VMware Player for Windows 32-bit and 64-bit
md5sum: 9fea9628b54bba02c173b8dae2e0e77e
sha1sum: 9dea11046392555cd6b00c8eb7b4135c3ca143b7
VMware Player for Linux 32-bit
md5sum: 3f0aae6170e075ec7b042b931e97bdac
sha1sum: 595f73ced1f8dc2804d89ebfee98edeb561ff94d
VMware Player for Linux 64-bit
md5sum: 825633b7031578203104081f1a132b09
sha1sum: e6b5919a822bfc66bf2cc9a52e62532433014c80
Player 3.1.6
------------
http://www.vmware.com/go/downloadplayer
Release notes:
https://www.vmware.com/support/player31/doc/releasenotes_player316.html
VMware Player for Windows 32-bit and 64-bit
md5sum: 258ca5ac40efa389b0bb221191dbdd65
sha1sum: 691beccb590b7bc34461f78946d752288f2ef4e7
VMware Player for Linux 32-bit
md5sum: 9ed2d89816523ba030f8877c3fb935b9
sha1sum: a16a91dddb6081be314ef5d84708d37fabdd859c
VMware Player for Linux 64-bit
md5sum: d0715a06775c0f92b9d23e031e4af1c6
sha1sum: 5033c1bfecb309b96399410e614c41452c49e8e8
Fusion 4.1.3
------------
http://www.vmware.com/go/downloadfusion
Release Notes:
http://www.vmware.com/support/fusion4/doc/releasenotes_fusion_413.html
VMware Fusion (for Intel-based Macs)
md5sum: 1581b2f1cc0e28f9980c48bab59072bd
sha1sum: f2f58d0b3bfa405c4e6d9f61d51e0d689f8ed34c
ESXi and ESX
------------
http://downloads.vmware.com/go/selfsupport-download
ESXi 5.0
--------
ESXi500-201206001
md5sum: 41299e3e0798220372ecd2c334e109bc
sha1sum: f4309df6f6a0c876f496b324b16ff911e7907a40
http://kb.vmware.com/kb/2021031
ESXi500-201206001 contains ESXi500-201206401-SG
ESXi 4.1
--------
ESXi410-201206001
md5sum: c0b4c3aad0b7c77b3a586b0806d8b44e
sha1sum: f6dd511b1eb257efdadfc608a70c6f3cda4e4b4a
http://kb.vmware.com/kb/2019243
ESXi410-201206001 contains ESXi410-201206401-SG
ESXi 4.0
--------
ESXi400-201206001
md5sum: e24762b6fa13c725f1739a9cea437949
sha1sum: 822582de9c3791c6face7ed0fc3d8dc2f29322c0
http://kb.vmware.com/kb/2021027
ESXi400-201206001 contains ESXi410-201206401-SG
ESXi 3.5
--------
ESXe350-201206401-O-SG
md5sum: f553524860896eb3f9095740fb48ae53
sha1sum: 70ec5bd7bad523b84f635031c99dd48fa378254b
http://kb.vmware.com/kb/2021018
ESXe350-201206401-O-SG contains ESXe350-201206401-I-SG
ESX 4.1
-------
ESX410-201206001
md5sum: 532aa0474f36649a74921adf14c8739b
sha1sum: 8baabd80dc27bb4e705df63683c0be3af0ac5431
http://kb.vmware.com/kb/2019065
ESX410-201206001 contains ESX410-201206401-SG
ESX 4.0
-------
ESX400-201206001
md5sum: ca60db82c5a3a5c6128f5805fa34f121
sha1sum: ff5aa11d5d4e1f4788483c7e60cbd828a0d6f7c1
http://kb.vmware.com/kb/2021025
ESX400-201206001 contains ESX400-201206401-SG
ESX 3.5
-------
ESX350-201206401-SG
md5sum: 065f9e2c78fea243c640e9757743a2ab
sha1sum: 2438decf074a270067f58837efda10670a8955aa
http://kb.vmware.com/kb/2021017
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3288
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3289
-----------------------------------------------------------------------
6. Change log
2012-06-14 VMSA-2012-0011
Initial security advisory in conjunction with the release of
Workstation 7.1.6, Player 3.1.6, ACE 2.7.6, Workstation 8.0.4,
Player 4.0.4, Fusion 4.1.3 and patches for ESXi and ESX 3.5,
4.0, 4.1 and 5.0 on 2012-06-14
-----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2012 VMware Inc. All rights reserved
- -----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFP2U58DEcm8Vbi9kMRAqiHAJ0RWZ/hNfbcbv8YuDpa+xYTaBm/XgCgprug
VGktywZ3F9EQTaY7Ur21NEY=
=J82M
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT9rJWu4yVqjM2NGpAQLd/g//WdiQt79L73Q31GBMhM+DoX/LdxesaBBj
Juj31C6v3lax75UThI/rXRCc+VtmWzLzVKR74O727FRqwonJSWvt4kpNH46kv5lu
dsUddSge+dlyStxLuMBDE4j1H3rJMejoyFx+JagqHWuZ5NLWde168GlsgOKZKjQj
+wGE5Cp5fE6XZma4Yxnew1oYqB/igKlG7hODpma270wIRqdgeoGmOjSZQWCs1HsD
AxNyv5F96CigeMcyvgPi8W1UtKq6bCXoIVFK2S28wpaoIQvES2LKj1QwGjKc3NmM
8X/zp6hLaup9MjW2klG7JeTsoLL3vtpzuswH/lcAn30IHuth5/IdetBqVHytOHoM
DCYvjnT7qZ54SvNzL++Uc407zy5K8SmbQdIUfsRrmOmUiut7DdfoNMzFGp+JRXE+
t5M+sFYOAZ3Wb93+p53xZsNkfmuMxu1F5MEYqd4N4N7rIjh+/HkjU8LyWDkMn9ly
FzYfCmmeQLtC3icK3FSQPPOKq9nCMEZL4K3KAHbpFUjYEyjGGLSVRmZ+O0KNa4Xd
J7Y3zQXEs2MoBiHqhtHjQWEpH0mWa+XfFmjuiqiGdtyksEsvowV4RCArqlcrpouE
jfQKwykPHBsw+THkV9jnxqpitQwxIPtC6QnAd5iuYiqbFsMcT9Kt4Cl1/r+M+O5z
ml+maL3AXkI=
=SNwC
-----END PGP SIGNATURE-----
|