Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0286 -- [Win][Linux] Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues 28 April 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware Workstation VMware Player VMware ACE VMware Server VMware Fusion Publisher: VMware Operating System: Windows Linux variants Impact: Increased Privileges Denial of Service Create Arbitrary Files Modify Arbitrary Files Access: Remote/Unauthenticated Existing Account CVE Names: CVE-2008-1364 CVE-2008-1363 CVE-2008-1362 CVE-2008-1361 CVE-2008-1340 CVE-2008-0923 CVE-2007-5618 CVE-2007-5269 CVE-2006-4343 CVE-2006-4339 CVE-2006-2940 CVE-2006-2937 Ref: AA-2008.0068 Revision History: April 28 2008: VMWare added additional information March 19 2008: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2008-0005.1 Synopsis: Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues Issue date: 2008-03-17 Updated on: 2008-04-24 CVE numbers: CVE-2008-0923 CVE-2008-0923 CVE-2008-1361 CVE-2008-1362 CVE-2007-5269 CVE-2006-2940 CVE-2006-2937 CVE-2006-4343 CVE-2006-4339 CVE-2007-5618 CVE-2008-1364 CVE-2008-1363 CVE-2008-1340 - - ------------------------------------------------------------------- 1. Summary: Several critical security vulnerabilities have been addressed in the newest releases of VMware's hosted product line. 2. Relevant releases: VMware Workstation 6.0.2 and earlier VMware Workstation 5.5.4 and earlier VMware Player 2.0.2 and earlier VMware Player 1.0.4 and earlier VMware ACE 2.0.2 and earlier VMware ACE 1.0.2 and earlier VMware Server 1.0.4 and earlier VMware Fusion 1.1.1 and earlier 3. Problem description: a. Host to guest shared folder (HGFS) traversal vulnerability On Windows hosts, if you have configured a VMware host to guest shared folder (HGFS), it is possible for a program running in the guest to gain access to the host's file system and create or modify executable files in sensitive locations. NOTE: VMware Server is not affected because it doesn't use host to guest shared folders. No versions of ESX Server, including ESX Server 3i, are affected by this vulnerability. Because ESX Server is based on a bare-metal hypervisor architecture and not a hosted architecture, and it doesn't include any shared folder abilities. Fusion and Linux based hosted products are unaffected. VMware would like to thank CORE Security Technologies for working with us on this issue. This addresses advisory CORE-2007-0930. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-0923 to this issue. Hosted products --------------- VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004) VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404) VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004) VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404) VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004) VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846) b. Insecure named pipes An internal security audit determined that a malicious Windows user could attain and exploit LocalSystem privileges by causing the authd process to connect to a named pipe that is opened and controlled by the malicious user. The same internal security audit determined that a malicious Windows user could exploit an insecurely created named pipe object to escalate privileges or create a denial of service attack. In this situation, the malicious user could successfully impersonate authd and attain privileges under which Authd is executing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-1361, CVE-2008-1362 to these issues. Windows Hosted products --------------- VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004) VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404) VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004) VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404) VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187) VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004) VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846) c. Updated libpng library to version 1.2.22 to address various security vulnerabilities Several flaws were discovered in the way libpng handled various PNG image chunks. An attacker could create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to crash when the file was manipulated. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2007-5269 to this issue. Hosted products --------------- VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004) VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404) VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004) VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404) VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187) VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004) VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846) NOTE: Fusion is not affected by this issue. d. Updated OpenSSL library to address various security vulnerabilities Updated OpenSSL fixes several security flaws were discovered in previous versions of OpenSSL. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the following names to these issues: CVE-2006-2940, CVE-2006-2937, CVE-2006-4343, CVE-2006-4339. Hosted products --------------- VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004) VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404) VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004) VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404) VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187) VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004) VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846) NOTE: Fusion is not affected by this issue. e. VIX API default setting changed to a more secure default value Workstation 6.0.2 allowed anonymous console access to the guest by means of the VIX API. This release, Workstation 6.0.3, disables this feature. This means that the Eclipse Integrated Virtual Debugger and the Visual Studio Integrated Virtual Debugger will now prompt for user account credentials to access a guest. Hosted products --------------- VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004) VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004) VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004) f. Windows 2000 based hosted products privilege escalation vulnerability This release addresses a potential privilege escalation on Windows 2000 hosted products. Certain services may be improperly registered and present a security vulnerability to Windows 2000 machines. VMware would like to thank Ray Hicken for reporting this issue and David Maciejak for originally pointing out these types of vulnerabilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2007-5618 to this issue. Windows versions of Hosted products --------------- VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004) VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404) VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004) VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404) VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187) VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004) VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846) NOTE: Fusion and Linux based products are not affected by this issue. g. DHCP denial of service vulnerability A potential denial of service issue affects DHCP service running on the host. VMware would like to thank Martin O'Neal for reporting this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2008-1364 to this issue. Hosted products --------------- VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404) VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404) VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187) VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846) VMware Fusion 1.1 upgrade to version 1.1.1 (Build# 72241) NOTE: This issue doesn't affect the latest versions of VMware Workstation 6, VMware Player 2, and ACE 2 products. h. Local Privilege Escalation on Windows based platforms by Hijacking VMware VMX configuration file VMware uses a configuration file named "config.ini" which is located in the application data directory of all users. By manipulating this file, a user could gain elevated privileges by hijacking the VMware VMX process. VMware would like to thank Sun Bing for reporting the issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2008-1363 to this issue. Windows based Hosted products --------------- VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004) VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404) VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004) VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404) VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187) VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004) VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846) i. Virtual Machine Communication Interface (VMCI) memory corruption resulting in denial of service VMCI was introduced in VMware Workstation 6.0, VMware Player 2.0, and VMware ACE 2.0. It is an experimental, optional feature and it may be possible to crash the host system by making specially crafted calls to the VMCI interface. This may result in denial of service via memory exhaustion and memory corruption. VMware would like to thank Andrew Honig of the Department of Defense for reporting this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2008-1340 to this issue. Hosted products --------------- VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004) VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004) VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004) VMware Fusion 1.1.1 upgrade to version 1.1.2 (Build# 87978) 4. Solution: Please review the Patch notes for your product and version and verify the md5sum of your downloaded file. VMware Workstation 6.0.3 ------------------------ http://www.vmware.com/download/ws/ Release notes: http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html Windows binary md5sum: 323f054957066fae07735160b73b91e5 RPM Installation file for 32-bit Linux md5sum: c44183ad11082f05593359efd220944e tar Installation file for 32-bit Linux md5sum: 57601f238106cb12c1dea303ad1b4820 RPM Installation file for 64-bit Linux md5sum: e9ba644be4e39556724fa2901c5e94e9 tar Installation file for 64-bit Linux md5sum: d8d423a76f99a94f598077d41685e9a9 VMware Workstation 5.5.5 ------------------------ http://www.vmware.com/download/ws/ws5.html Release notes: http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html Windows binary md5sum: 9c2dd94db5eed93d7f64e8d6ba8d8bd3 Compressed Tar archive for 32-bit Linux md5sum: 77401c0842a151f0b2db0b4fcb0d16eb Linux RPM version for 32-bit Linux md5sum: c222b6db934deb9c1bb79b16b25a3202 VMware Server 1.0.5 ------------------- http://www.vmware.com/download/server/ Release notes: http://www.vmware.com/support/server/doc/releasenotes_server.html VMware Server for Windows 32-bit and 64-bit md5sum: 3c4a57310c55e17bf8e4a1059d5b36cc VMware Server Windows client package md5sum: cb3dd2439203dc510f4d95f06ba59d21 VMware Server for Linux md5sum: 161dcbe5af9bbd9834a86bf7c599903e VMware Server for Linux rpm md5sum: fc3b81ed18b53eda943a992971e9f84a Management Interface md5sum: dd10d25895d9994bd27ca896152f48ef VMware Server Linux client package md5sum: aae18f1f7b8811b5499e3a358754d4f8 VMware ACE 2.0.3 and 1.0.5 -------------------------- http://www.vmware.com/download/ace/ Windows Release notes: http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html VMware Fusion 1.1.1 ------------------- http://www.vmware.com/download/fusion/ Release notes: http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html md5sum: 38e116ec26b30e7a6ac47c249ef650d0 VMware Fusion 1.1.2 ------------------- http://www.vmware.com/download/fusion/ Release notes: http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html md5sum: D15A3DFD3E7B11FC37AC684586086D2B VMware Player 2.0.3 and 1.0.6 ---------------------- http://www.vmware.com/download/player/ Release notes Player 1.x: http://www.vmware.com/support/player/doc/releasenotes_player.html Release notes Player 2.0 http://www.vmware.com/support/player2/doc/releasenotes_player2.html 2.0.3 Windows binary md5sum: 0c5009d3b569687ae139e13d24c868d3 VMware Player 2.0.3 for Linux (.rpm) md5sum: 53502b2112a863356dcd13dd0d8dd8f2 VMware Player 2.0.3 for Linux (.tar) md5sum: 2305fcff49bef6e4ad83742412eac978 VMware Player 2.0.3 - 64-bit (.rpm) md5sum: cf945b571c4d96146ede010286fdfca5 VMware Player 2.0.3 - 64-bit (.tar) md5sum: f99c5b293eb87c5f918ad24111565b9f 1.0.6 Windows binary md5sum: 895081406c4de5361a1700ec0473e49c Player 1.0.6 for Linux (.rpm) md5sum: 8adb23799dd2014be0b6d77243c76942 Player 1.0.6 for Linux (.tar) md5sum: c358f8e1387fb60863077d6f8a9f7b3f 5. References: CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0923 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1361 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1362 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5618 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1364 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1363 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1340 6. Change log: 2008-03-17 VMSA-2008-0005 Initial release 2008-04-24 VMSA-2008-0005.1 Added information for Fusion 1.1.2 released on 04/23/08 for item i. - - ------------------------------------------------------------------- 7. Contact: E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce@lists.vmware.com * bugtraq@securityfocus.com * full-disclosure@lists.grok.org.uk E-mail: security@vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2008 VMware Inc. All rights reserved. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIERzFS2KysvBH1xkRCH44AJ0e7X4nrMgZNOCyfC11GDUx4XOCFwCffMbQ icsAxBg10sRULIYif7sKL38= =4GYA - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSBUj2Sh9+71yA2DNAQJ53wQAnbayLySmY9i8TrK/18AUCz3jj5vdxomb ZTE7StkTduWbyJFo79wipdJJEE2T1TV3TjdpyZxbSqhdaaFAJ7+Nx0bzL/jt/VI7 2P3/Pe9UJECvUdevTqOv78RQgiic3mykzaXTwM6X6fLiX/X1ZNsyr5vCVEijmxtD qPkBjjhQlk4= =Xjjw -----END PGP SIGNATURE-----