Date: 11 January 2007
References: ESB-2006.0485 AL-2006.0074 AL-2006.0084 ESB-2006.0747 ESB-2006.0843 ESB-2006.0844 ESB-2007.0392
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0023 -- [VMware ESX]
VMware ESX server security updates
11 January 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware ESX server 3.0.1 and prior
Publisher: VMware
Operating System: VMWare ESX Server
Impact: Execute Arbitrary Code/Commands
Access Privileged Data
Denial of Service
Reduced Security
Access: Remote/Unauthenticated
CVE Names: CVE-2006-5794 CVE-2006-5051 CVE-2006-4980
CVE-2006-4924 CVE-2006-4343 CVE-2006-4339
CVE-2006-3738 CVE-2006-3589 CVE-2006-2940
CVE-2006-2937 CVE-2006-0225 CVE-2004-2069
CVE-2003-0386
Ref: ESB-2006.0485
ESB-2006.0843
AL-2006.0084
AL-2006.0074
ESB-2006.0747
ESB-2006.0844
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2007-0001
Synopsis: VMware ESX server security updates
Issue date: 2007-01-09
Updated on: 2007-01-09
CVE: CVE-2006-3589 CVE-2006-2937 CVE-2006-2940
CVE-2006-3738 CVE-2006-4339 CVE-2006-4343
CVE-2006-4980
- - -------------------------------------------------------------------
1. Summary:
Updated ESX Patches address several security issues.
2. Relevant releases:
VMware ESX 3.0.1 without patch ESX-9986131
VMware ESX 3.0.0 without patch ESX-3069097
VMware ESX 2.5.4 prior to upgrade patch 3
VMware ESX 2.5.3 prior to upgrade patch 6
VMware ESX 2.1.3 prior to upgrade patch 4
VMware ESX 2.0.2 prior to upgrade patch 4
3. Problem description:
Problems addressed by these patches:
a. Incorrect permissions on SSL key files generated by vmware-config
(CVE-2006-3589):
ESX 3.0.1: does not have this problem
ESX 3.0.0: does not have this problem
ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 3 (Build# 36502)
ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 6 (Build# 35703)
ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 4 (Build# 35803)
ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 4 (Build# 35801)
A possible security issue with the configuration program
vmware-config which could set incorrect permissions on SSL key
files. Local users may be able to obtain access to the SSL key
files. The Common Vulnerabilities and Exposures project
(cve.mitre.org) assigned the name CVE-2006-3589 to this issue.
b. OpenSSL library vulnerabilities:
ESX 3.0.1: corrected by ESX 3.0.1 Patch ESX-9986131
ESX 3.0.0: corrected by ESX 3.0.0 Patch ESX-3069097
ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 3 (Build# 36502)
ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 6 (Build# 35703)
ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 4 (Build# 35803)
ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 4 (Build# 35801)
(CVE-2006-2937) OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d
allows remote attackers to cause a denial of service (infinite
loop and memory consumption) via malformed ASN.1 structures that
trigger an improperly handled error condition.
(CVE-2006-2940) OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d,
and earlier versions allows attackers to cause a denial of service
(CPU consumption) via parasitic public keys with large (1) "public
exponent" or (2) "public modulus" values in X.509 certificates that
require extra time to process when using RSA signature verification.
(CVE-2006-4339) OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8
before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1
padding before generating a hash, which allows remote attackers to
forge a PKCS #1 v1.5 signature that is signed by that RSA key and
prevents OpenSSL from correctly verifying X.509 and other
certificates that use PKCS #1.
(CVE-2006-4343) The get_server_hello function in the SSLv2 client
code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and
earlier versions allows remote servers to cause a denial of service
(client crash) via unknown vectors that trigger a null pointer
dereference.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the names CVE-2006-2937, CVE-2006-2940, CVE-2006-3738,
CVE-2006-4339, and CVE-2006-4343 to these issues.
c. Updated OpenSSH package addresses the following possible security issues:
ESX 3.0.1: corrected by Patch ESX-9986131
ESX 3.0.0: corrected by Patch ESX-3069097
ESX 2.5.4: does not have these problems
ESX 2.5.3: does not have these problems
ESX 2.1.3: does not have these problems
ESX 2.0.2: does not have these problems
(CVE-2004-2069) sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly
other versions, when using privilege separation, does not properly
signal the non-privileged process when a session has been terminated
after exceeding the LoginGraceTime setting, which leaves the
connection open and allows remote attackers to cause a denial of
service (connection consumption).
(CVE-2006-0225) scp in OpenSSH 4.2p1 allows attackers to execute
arbitrary commands via filenames that contain shell metacharacters
or spaces, which are expanded twice.
(CVE-2003-0386) OpenSSH 3.6.1 and earlier, when restricting host
access by numeric IP addresses and with VerifyReverseMapping
disabled, allows remote attackers to bypass "from=" and "user@host"
address restrictions by connecting to a host from a system whose
reverse DNS hostname contains the numeric IP address.
(CVE-2006-4924) sshd in OpenSSH before 4.4, when using the version 1
SSH protocol, allows remote attackers to cause a denial of service
(CPU consumption) via an SSH packet that contains duplicate blocks,
which is not properly handled by the CRC compensation attack
detector.
NOTE: ESX by default disables version 1 SSH protocol.
(CVE-2006-5051) Signal handler race condition in OpenSSH before 4.4
allows remote attackers to cause a denial of service (crash), and
possibly execute arbitrary code if GSSAPI authentication is enabled,
via unspecified vectors that lead to a double-free.
NOTE: ESX doesn't use GSSAPI by default.
(CVE-2006-5794) Unspecified vulnerability in the sshd Privilege
Separation Monitor in OpenSSH before 4.5 causes weaker verification
that authentication has been successful, which might allow attackers
to bypass authentication.
NOTE: as of 20061108, it is believed that this issue is only
exploitable by leveraging vulnerabilities in the unprivileged
process, which are not known to exist.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the names CVE-2004-2069, CVE-2006-0225, CVE-2003-0386,
CVE-2006-4924, CVE-2006-5051, and CVE-2006-5794 to these issues.
d. Object reuse problems with newly created virtual disk (.vmdk or .dsk)
files:
ESX 3.0.1: does not have this problem
ESX 3.0.0: does not have this problem
ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 3 (Build# 36502)
ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 6 (Build# 35703)
ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 4 (Build# 35803)
ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 4 (Build# 35801)
A possible security issue with virtual disk (.vmdk or .dsk) files
that are newly created, but contain blocks from recently deleted
virtual disk files. Information belonging to the previously
deleted virtual disk files could be revealed in newly created
virtual disk files.
VMware recommends the following workaround: When creating new
virtual machines on an ESX Server that may contain sensitive
data, use vmkfstools with the -W option. This initializes the
virtual disk with zeros.
e. Buffer overflow in Python function repr():
ESX 3.0.1: corrected by Patch ESX-9986131
ESX 3.0.0: corrected by ESX-3069097
ESX 2.5.4: does not have this problem
ESX 2.5.3: does not have this problem
ESX 2.1.3: does not have this problem
ESX 2.0.2: does not have this problem
A possible security issue with how the Python function repr()
function handles UTF-32/UCS-4 strings. Python applications
using this function can open a security vulnerability that could
allow the execution of arbitrary code.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the name CVE-2006-4980 to this issue.
4. Solution:
Please review the Patch notes for your version of ESX and verify the md5sum.
ESX 3.0.1
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
md5usm: 239375e107fd4c7af57663f023863fcb
ESX 3.0.0
http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
md5sum: ca9947239fffda708f2c94f519df33dc
ESX 2.5.4
http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html
md5sum: 239375e107fd4c7af57663f023863fcb
ESX 2.5.3
http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html
md5sum: f90fcab28362edbf2311f3ca90cc7739
ESX 2.1.3
http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html
md5sum: 7d7d0e40f4dccd5ca64b9c13a856da8f
ESX 2.0.2
http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html
md5sum: 925e70f28d17714c53fdbd24de64329f
5. References:
ESX 2.5.4 Patch URL:
http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html
ESX 2.5.3 Patch URL:
http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html
ESX 2.1.3 Patch URL:
http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html
ESX 2.0.2 Patch URL:
http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html
ESX 3.0.0 Patch URL:
http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
Knowledge base URL:http://kb.vmware.com/kb/3069097
ESX 3.0.1 Patch URL:
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
Knowledge base URL:http://kb.vmware.com/kb/9986131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3589
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4980
6. Contact:
http://www.vmware.com/security
VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html
E-mail: security@vmware.com
PGP key: http://kb.vmware.com/kb/1055
Copyright 2007 VMware Inc. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFpDHJ6KjQhy2pPmkRCKBoAKCBxPzEUC9XijRAbtqZJ7l4YV4gUgCgmkW/
qYhKM5SDILPj7ixrsz2dm40=
=TjWR
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRaWydyh9+71yA2DNAQL8lAP/bn6SlrVXljCnCy3MUE2e29yIB3J+htrH
bU/W4GtCulDc7Fhz9R2rQUEpD1nUav14aJLFCGdhxbZI4fSpvpY/GLyeTY3PCeEO
V4FRHKhxzaYiTo7sEXRLxgAEzNJ8r4FTIe91PM4cSWh1FTBsGPsfKxlpUo5Q16Y+
f+Hg09y1d5c=
=9uMg
-----END PGP SIGNATURE-----
|