copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
»
Security Bul...
»
AusCERT Exte...
» ESB-2013.0143.5 - UPDATE [Win][VMware ESX] VMware vS...
ESB-2013.0143.5 - UPDATE [Win][VMware ESX] VMware vSphere: Multiple vulnerabilities
Date:
30 April 2013
References
:
ASB-2012.0019
ASB-2012.0073
ASB-2012.0096
ASB-2012.0121
ESB-2012.0872
ESB-2012.0885
ESB-2012.0886
ESB-2012.0887
ESB-2012.0894
ESB-2012.0939
ESB-2012.0940
ESB-2012.0956
ESB-2012.0986
ESB-2012.1026
ASB-2012.0147
ESB-2012.1108
ESB-2013.0136
ESB-2013.0180
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0143.5 VMSA-2013-0001 - VMware vSphere security updates for the authentication service and third party libraries 30 April 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware vSphere VMware vCenter VMware ESX VMware ESXi Publisher: VMware Operating System: VMWare ESX Server Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-1405 CVE-2012-4244 CVE-2012-2871 CVE-2012-2870 CVE-2012-2825 CVE-2012-2807 CVE-2011-3970 CVE-2011-3102 CVE-2011-1202 Reference: ESB-2013.0136 ASB-2012.0147 ASB-2012.0121 ASB-2012.0096 ASB-2012.0073 ASB-2012.0019 ESB-2012.1108 ESB-2012.1026 ESB-2012.0986 ESB-2012.0956 ESB-2012.0940 ESB-2012.0939 ESB-2012.0894 ESB-2012.0887 ESB-2012.0886 ESB-2012.0885 ESB-2012.0872 ESB-2012.0871 ESB-2012.0737 ESB-2012.0492 ASB-2011.0034 ESB-2011.0488 Revision History: April 30 2013: Updated security advisory for issue b) due to ESXi 5.1 update released on 2013-04-25. April 2 2013: Updated security advisory for issue b) due to ESXi 5.0 update released on 2013-03-28. February 25 2013: Updated security advisory to include vCenter 2.5 Update U6c and patches for ESX 3.5 released on 2013-02-21 February 11 2013: Updated security advisory to include vCenter 4.0 Update 4b and patches for ESX 4.0. February 4 2013: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ---------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2013-0001.3 Synopsis: VMware vSphere security updates for the authentication service and third party libraries Issue date: 2013-01-31 Updated on: 2013-04-25 CVE numbers: --- vSphere authentication --- CVE-2013-1405 --- libxml2 --- CVE-2011-3102, CVE-2012-2807 --- bind (service console) --- CVE-2012-4244 --- xslt (service console) --- CVE-2011-1202, CVE-2011-3970, CVE-2012-2825, CVE-2012-2870, CVE-2012-2871 - - ---------------------------------------------------------------------- 1. Summary VMware vSphere security updates for the authentication service and third party libraries 2. Relevant releases - vCenter Server 4.1 without Update 3a - vCenter Server 4.0 without Update 4b - Virtual Center 2.5 without Update 6c - vSphere Client 4.1 without Update 3a - vSphere Client 4.0 without Update 4b - VI-Client 2.5 without Update 6c - ESXi 5.0 without Update 1 - ESXi 5.0 without patch ESXi500-201303101-SG - ESXi 4.1 without patch ESXi410-201301401-SG - ESXi 4.0 without patches ESXi400-201302401-SG and ESXi400-201302403-SG - ESXi 3.5 without patches ESXe350-201302401-I-SG and ESXe350-201302403-C-SG - ESX 4.1 without patches ESX410-201301401-SG, ESX410-201301402-SG, ESX410-201301403-SG, and ESX410-201301405-SG - ESX 4.0 without patch ESX400-201302401-SG - ESX 3.5 without patch ESX350-201302401-SG 3. Problem Description a. VMware vSphere client-side authentication memory corruption vulnerability VMware vCenter Server, vSphere Client, and ESX contain a vulnerability in the handling of the management authentication protocol. To exploit this vulnerability, an attacker must convince either vCenter Server, vSphere Client or ESX to interact with a malicious server as a client. Exploitation of the issue may lead to code execution on the client system. To reduce the likelihood of exploitation, vSphere components should be deployed on an isolated management network. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2013-1405 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ================= vCenter Server 5.1 Windows not affected vCenter Server 5.0 Windows not affected vCenter Server 4.1 Windows 4.1 Update 3a vCenter Server 4.0 Windows 4.0 Update 4b VirtualCenter 2.5 Windows 2.5 Update 6c vSphere Client 5.1 Windows not affected vSphere Client 5.0 Windows not affected vSphere Client 4.1 Windows 4.1 Update 3a ** vSphere Client 4.0 Windows 4.0 Update 4b ** VI-Client 2.5 Windows 2.5 Update 6c ** hosted * any any not affected ESXi 5.1 ESXi not affected ESXi 5.0 ESXi not affected ESXi 4.1 ESXi ESXi410-201301401-SG ESXi 4.0 ESXi ESXi400-201302401-SG ESXi400-201302403-SG (vSphere client) ESXi 3.5 ESXi ESXe350-201302401-I-SG ESXe350-201302403-C-SG (vSphere client) ESX 4.1 ESX ESX410-201301401-SG ESX 4.0 ESX ESX400-201302401-SG (includes vSphere client) ESX 3.5 ESX ESX350-201302401-SG (includes vSphere client) * hosted products are VMware Workstation, Player, ACE, Fusion. ** To remediate CVE-2013-1405, customers must apply updates to all components of the authentication service. First, customers should update vCenter Server or ESXi/ESX as appropriate to ensure that the updated vSphere Client is downloaded. Then, the vSphere client can be updated using any one of the following methods: - Run the installer that ships with vCenter Server - Follow the client installation link on the vCenter Server welcome page - Follow the client installation link on the ESXi/ESX Server welcome page b. Update to ESX/ESXi libxml2 userworld and service console The ESX/ESXi userworld libxml2 library has been updated to resolve multiple security issues. Also, the ESX service console libxml2 packages are updated to the following versions: libxml2-2.6.26-2.1.15.el5_8.5 libxml2-python-2.6.26-2.1.15.el5_8.5 These updates fix multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-3102 and CVE-2012-2807 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======== ======= ================= ESXi 5.1 ESXi see VMSA-2013-0004 ESXi 5.0 ESXi see VMSA-2013-0004 ESXi 4.1 ESXi ESXi410-201301401-SG ESXi 4.0 ESXi no patch planned ESXi 3.5 ESXi no patch planned ESX 4.1 ESX ESX410-201301405-SG ESX 4.0 ESX no patch planned ESX 3.5 ESX no patch planned c. Update to ESX service console bind packages The ESX service console bind packages are updated to the following versions: bind-libs-9.3.6-20.P1.el5_8.2 bind-utils-9.3.6-20.P1.el5_8.2 These updates fix a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-4244 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======== ======= ================= ESXi any ESXi not applicable ESX 4.1 ESX ESX410-201301402-SG ESX 4.0 ESX patch pending ESX 3.5 ESX not applicable d. Update to ESX service console libxslt package The ESX service console libxslt package is updated to version libxslt-1.1.17-4.el5_8.3 to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-1202, CVE-2011-3970, CVE-2012-2825, CVE-2012-2870, and CVE-2012-2871 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======== ======= ================= ESXi any ESXi not applicable ESX 4.1 ESX ESX410-201301403-SG ESX 4.0 ESX not affected ESX 3.5 ESX not applicable 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server 4.1 Update 3a --------------------------- The download for vCenter Server includes vSphere Update Manager, vSphere Client, and vCenter Orchestrator. Download link: https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_ vsphere/4_1 Release Notes: https://www.vmware.com/support/vsphere4/doc/vsp_vc41_u3a_rel_notes.html vCenter Server 4.0 Update 4b --------------------------- The download for vCenter Server includes vSphere Update Manager, vSphere Client, and vCenter Orchestrator. Download link: https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_ vsphere/4_0 Release Notes: https://www.vmware.com/support/vsphere4/doc/vsp_vc40_u4b_rel_notes.html VirtualCenter 2.5 Update U6c --------------------------- Download link: http://downloads.vmware.com/d/info/datacenter_downloads/vmware_infrastructu re_3/3_5 Release Notes: https://www.vmware.com/support/vi3/doc/vi3_vc25u6c_rel_notes.html ESXi and ESX ------------ https://my.vmware.com/web/vmware/downloads ESXi 4.1 -------- File: ESXi410-201301001.zip md5sum: 3543d3f16a1f1b1369dcdb5c25fa7106 sha1sum: cced12e87838a3b037c9ec99d8490809c61fe883 http://kb.vmware.com/kb/2041332 ESXi410-201301001 contains ESXi410-201301401-SG ESXi 4.0 -------- File: ESXi400-201302001.zip md5sum: 03dc9246239dd449bf21a122e7b1bcf3 sha1sum: 276346a186c068c1fdbf19e1b753b8a2dbc8c89c http://kb.vmware.com/kb/2041344 ESXi400-201302001 contains ESXi400-201302401-SG and ESXi400-201302403-SG ESXi 3.5 -------- File: ESXe350-201302401-O-SG.zip md5sum: a2c5f49bc865625b3796c41c202d1696 sha1sum: 12d25011d9940ea40d45f77a4e5bcc7e7b0c0cee http://kb.vmware.com/kb/2042543 ESXi350-201302401-O-SG contains ESXe350-201302401-I-SG and ESXe350-201302403-C-SG ESX 4.1 ------- File: ESX410-201301001.zip md5sum: 0219dbcbcc6fafe8bf33695682c8658d sha1sum: 2eab9d56ac81f7d2d00c15b155bd93c36b0e03c3 http://kb.vmware.com/kb/2041331 ESX410-201301001 contains ESX410-201301401-SG, ESX410-201301402-SG, ESX410-201301403-SG, and ESX410-201301405-SG ESX 4.0 ------- File: ESX400-201302001.zip md5sum: 2a883e737c3cde990fe4792c64c32fcd sha1sum: 92c3b13ab3fdee73c335d5e8b41159f546def199 http://kb.vmware.com/kb/2041343 ESX400-201302001 contains ESX400-201302401-SG ESX 3.5 ------- File: ESX350-201302401-SG.zip md5sum: e703cb0bc3e1eaa8932a96ea96f34a00 sha1sum: 91dcf1bf7194a289652d0904dd7af8bce0a1d2dd http://kb.vmware.com/kb/2042541 ESX350-201302401-SG contains ESX350-201302401-SG 5. References --- vSphere authentication --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1405 --- libxml2 --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2807 --- bind (service console) --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4244 --- xslt (service console) --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1202 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3970 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2825 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2870 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2871 - - ----------------------------------------------------------------------- 6. Change log 2013-01-31 VMSA-2013-0001 Initial security advisory in conjunction with the release of vCenter 4.1 Update 3a and ESX 4.1 patches on 2013-01-31. 2013-02-07 VMSA-2013-0001.1 Updated security advisory to include vCenter 4.0 Update 4b and patches for ESX 4.0 released on 2013-02-07. 2013-02-21 VMSA-2013-0001.2 Updated security advisory to include vCenter 2.5 Update U6c and patches for ESX 3.5 released on 2013-02-21. 2013-02-21 VMSA-2013-0001.3 Updated security advisory for issue b) due to ESXi 5.0 update released on 2013-03-28. 2013-04-25 VMSA-2013-0001.4 Updated security advisory for issue b) due to ESXi 5.1 update released on 2013-04-25. - - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2013 VMware Inc. All rights reserved. - -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFReaL9DEcm8Vbi9kMRAmdrAJ9+oP0uADC+iwb2UGTaJ6OLDalw5QCgzTud v5K44fS0smoDug5UPO7EzAQ= =g/vy - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUX8kTu4yVqjM2NGpAQI62Q//W5ahuxPSKMxldhdLFb40dTWfAV7tkLqC Y4NJJm/wLrhpBD9dIXC0qvCNscL4izy3/eO+pwSKJKLQuYUl4aEavkEGnQOr+oQk y+Ga6y0DiPdo0cuotoXq/fjBeAf5LI7IYBL4Kbinyg9iFmJBTVUzN6HYF44Q3OdK DbeG46/YXVOXCkua3d5aKLx8t3wbT9mAPVKW8dOsyZ3uywXUqPuBL/i6Q0MDR0R6 yx3N93z8ADYgjPmhG4gZ6FpQJwAkI9cZtaD2UPihd5YBgk3L8bLzffPQr5mPjFgr dpwJydRhPDwsVCEYtQtxkKs+JgBNKeI939wU/NNg5KKBDl9pWsaTCVDNZ2alzTZb aKJLI/bVew7zmiE3Z4vvcBCplX/7U4ToYn28Iv548jbTSceCMBPYW65SC2+ooCXx qaBgB6fIPwH+AaBCWoKAJcHnE8JXqKViLxI6HEsOR+F17uzvHh2ebvE9/otkozvg 7/QkELAm7d7kR9CxxgQfXF+QGCezeDv+6bZ+31DbXZQ5/yPnb4vUiiA4r4OlAR9v CGy9rp+fwGt3sGP9gDELYSIr2/8ZTeqkU5XWC+vjr7UdyB3LYlXn7oROGRu5OnhP CzbpkfCRAVMFkYyTrjixF6EW+Oa2nrWO6Usyj9QF7cAM/XTeUBrXMFNHFp03n9cr BgfqCrTnq4Y= =CTrv -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1980&it=16921