ESB-2017.1857 - [Win][Linux][Virtual] VMware vCenter Server and Tools: Multiple vulnerabilities 2017-07-31

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1857
          VMSA-2017-0013 VMware vCenter Server and Tools updates
                 resolve multiple security vulnerabilities
                               31 July 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware vCenter Server
                   VMware Tools
Publisher:         VMWare
Operating System:  Windows
                   Virtualisation
                   Linux variants
Impact/Access:     Increased Privileges   -- Existing Account
                   Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-4923 CVE-2017-4922 CVE-2017-4921
                   CVE-2015-5191  

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2017-0013.html

- --------------------------BEGIN INCLUDED TEXT--------------------

VMSA-2017-0013

VMware vCenter Server and Tools updates resolve multiple security 
vulnerabilities

VMware Security Advisory
 
Advisory ID:
VMSA-2017-0013

Severity:
Moderate

Synopsis:
VMware vCenter Server and Tools updates resolve multiple security 
vulnerabilities

Issue date:
2017-07-27

Updated on:
2017-07-27 (Initial Advisory)

CVE numbers:
CVE-2017-4921, CVE-2017-4922, CVE-2017-4923, CVE-2015-5191
 
1. Summary

VMware vCenter Server and Tools updates resolve multiple security 
vulnerabilities

2. Relevant Products

    VMware vCenter Server  
    VMware Tools

3. Problem Description

a. Insecure library loading through LD_LIBRARY_PATH 

VMware vCenter Server contains an insecure library loading issue that occurs 
due to the use of LD_LIBRARY_PATH variable in an unsafe manner. Successful 
exploitation of this issue may allow unprivileged host users to load a shared
library that may lead to privilege escalation.      

Note: In order to exploit this issue an attacker should be able to trick the 
admin to execute wrapper scripts from a world writable directory.      

VMware would like to thank Thorsten Tüllmann, researcher at Karlsruhe 
Institute of Technology for reporting this issue to us.     

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifier CVE-2017-4921 to this issue.

Column 5 of the following table lists the action required to remediate the 
vulnerability in each release, if a solution is available.

VMware Product	Product 	Running on	Severity	Replace with/ 	Workaround
		Version						Apply Patch

vCenter Server	6.5		VA		Moderate	6.5 U1		None
vCenter Server	6.5		Windows		N/A		Not affected	N/A
vCenter Server	6.0		Any		N/A		Not affected	N/A
vCenter Server	5.5		Any		N/A		Not affected	N/A

b. Information disclosure via service startup script

VMware vCenter Server contains an information disclosure issue due to the 
service startup script using world writable directories as temporary storage
for critical information. Successful exploitation of this issue may allow 
unprivileged host users to access certain critical information when the 
service gets restarted.     

VMware would like to thank Thorsten Tüllmann, researcher at Karlsruhe Institute
of Technology for reporting this issue to us.     

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifier CVE-2017-4922 to this issue.

Column 5 of the following table lists the action required to remediate the
vulnerability in each release, if a solution is available.

VMware Product	Product 	Running on	Severity	Replace with/ 	Workaround
		Version						Apply Patch
vCenter Server	6.5		VA		Moderate	6.5 U1		None
vCenter Server	6.5		Windows		N/A		Not affected	N/A
vCenter Server	6.0		Any		N/A		Not affected	N/A
vCenter Server	5.5		Any		N/A		Not affected	N/A

c. Information disclosure via vCenter Server Appliance file-based backup 
feature

VMware vCenter Server contains an information disclosure vulnerability. This
issue may allow plaintext credentials to be obtained when using the vCenter 
Server Appliance file-based backup feature.      

VMware would like to thank Joe Womack of Expedia for reporting this issue to 
us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifier CVE-2017-4923 to this issue.

Column 5 of the following table lists the action required to remediate the
vulnerability in each release, if a solution is available.

VMware Product	Product 	Running on	Severity	Replace with/	Workaround
		Version						Apply Patch

vCenter Server	6.5		VA		Moderate	6.5 U1		None
vCenter Server	6.5		Windows		N/A		Not affected	N/A
vCenter Server	6.0		Any		N/A		Not affected	N/A
vCenter Server	5.5		Any		N/A		Not affected	N/A

d. Local privilege escalation in VMware Tools

VMware Tools contains multiple file system races in libDeployPkg, related to
the use of hard-coded paths under /tmp. Successful exploitation of this issue
may result in a local privilege escalation.      

VMware would like to thank Florian Weimer and Kurt Seifried of Red Hat Product
Security for reporting this issue to us.     

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the identifier CVE-2015-5191 to this issue.

Column 5 of the following table lists the action required to remediate the 
vulnerability in each release, if a solution is available.

VMware Product	Product Version	Running on	Severity	Replace with/ 		Workaround
								Apply Patch
VMware Tools	10.0.x, 9.x	Linux		Moderate	10.0.9 and above	None
 
4. Solution

Please review the patch/release notes for your product and version and verify
the checksum of your downloaded file.

VMware vCenter Server 6.5 U1 

Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VC65U1&productId=614&rPId=17343

Documentation:
https://docs.vmware.com/en/VMware-vSphere/index.html

VMware Tools 10.0.9

Downloads and Documentation:  
https://my.vmware.com/web/vmware/details?productId=491&downloadGroup=VMTOOLS1009

5. References
          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4921  
          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4922  
          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4923  
          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191

6. Change log

 2017-07-27 VMSA-2017-0013  

Initial security advisory in conjunction with the release of VMware vCenter 
Server 6.5 U1 on 2017-07-27.

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com

bugtraq@securityfocus.com
fulldisclosure@seclists.org 

E-mail: security@vmware.com
PGP key at: https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories 

Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog  
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

Copyright 2017 VMware Inc. All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWX6A7ox+lLeg9Ub1AQjzkQ/+OF/Ufr3RMz19WY2bjjEWsD9keMy415rv
DktMoLja5+Hi6NoTwUIWHqXkyLNRotT+zntIKw24UjeeA9p9CBsLYm44PxWoCQIe
QPfSIRERJP+aNsyMGN596l5vsdmIm2TtVTl/5rr+2KDgOyCFDeOCnF1QkiTMl/md
2i4eM47TxzVZMr8AqHAaA7BXya4qrb/NlVNZRd0+bJCM7E7TBVruHBTWGjnAIQiQ
HV0k6ekvqTcQ7w7vHp7DByiCQebHCBq/DObEwz8y/uxidO5UhHey7LMNBBBcvfW6
kgYJ9mVliu3WUO9UBygQkhvoOB/vw2HYV1mnx91UbEcjfid2xYF9Nb+/hWY5VAJQ
Xfwm7vahxOXcaovPg/J9WqeRa5nLPD+bkkiSSgz+AP09Bwi96aQqwE5bpxomYDEd
CuK6VxrWr0pB89S8C6TzZWKSj4kqLbhhyZbS5xlMCs4u40T2ZO3/aM0TYihflR3H
Qjt0/8oEncDPELhZIYStrmCpcAoAoeKnoiH9ad7/U7JpFaDMyuwA72zSfWLaVOon
Ck8J6gUvwBoqR5Y28DowZ0u3mhh+kW5S6BkNcXRFuLD7ayRucDHZCEedil5tsoCY
WrgnqiSxudG919yf8+ZWYj89uMHj75PCjN77fzHyu3nYvkpm2/JwdUM8QlA4LWUl
035UorhrJ4Q=
=Uln5
-----END PGP SIGNATURE-----

« Back to bulletins