copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2009.1430.3 - UPDATE [VMware ESX] VMware: Multiple vulnerabilities

Date: 08 January 2010
References: AA-2007.0111  AA-2008.0114  ESB-2008.0776  AA-2008.0221  ESB-2008.1135  ESB-2009.0049  ESB-2009.0082  ESB-2009.0290  ESB-2009.0329  ESB-2009.0400  
ESB-2009.0451  ESB-2009.0477  ASB-2009.1013  ESB-2009.1053  ESB-2009.1055  ESB-2009.1144  ESB-2009.1553.5  
Related Files: ESB-2009.1430   ESB-2009.1430.2  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2009.1430.3
        VMware ESX patches for DHCP, Service Console kernel and JRE
                     resolve multiple security issues
                              8 January 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          VMware ESX 4.0
                  VMware ESX 3.5
                  VMware ESX 3.03
Publisher:        VMware
Operating System: VMWare ESX Server
Impact/Access:    Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                  Denial of Service               -- Remote/Unauthenticated
                  Overwrite Arbitrary Files       -- Existing Account      
                  Increased Privileges            -- Existing Account      
                  Access Confidential Data        -- Existing Account      
Resolution:       Patch/Upgrade
CVE Names:        CVE-2009-1893 CVE-2009-1107 CVE-2009-1106
                  CVE-2009-1105 CVE-2009-1104 CVE-2009-1103
                  CVE-2009-1102 CVE-2009-1101 CVE-2009-1100
                  CVE-2009-1099 CVE-2009-1098 CVE-2009-1097
                  CVE-2009-1096 CVE-2009-1095 CVE-2009-1094
                  CVE-2009-1093 CVE-2009-0692 CVE-2008-5360
                  CVE-2008-5359 CVE-2008-5358 CVE-2008-5357
                  CVE-2008-5356 CVE-2008-5355 CVE-2008-5354
                  CVE-2008-5353 CVE-2008-5352 CVE-2008-5351
                  CVE-2008-5350 CVE-2008-5349 CVE-2008-5348
                  CVE-2008-5347 CVE-2008-5346 CVE-2008-5345
                  CVE-2008-5344 CVE-2008-5343 CVE-2008-5342
                  CVE-2008-5341 CVE-2008-5340 CVE-2008-5339
                  CVE-2008-4210 CVE-2008-3525 CVE-2008-3275
                  CVE-2008-2812 CVE-2008-2136 CVE-2008-2086
                  CVE-2008-0598 CVE-2007-6063 

Reference:        ESB-2009.1553
                  ASB-2009.1013
                  AA-2008.0221
                  AA-2008.0114
                  AA-2007.0111
                  ESB-2009.1144
                  ESB-2009.1055
                  ESB-2009.1053
                  ESB-2009.0477
                  ESB-2009.0451
                  ESB-2009.0400
                  ESB-2009.0329
                  ESB-2009.0290
                  ESB-2009.0082
                  ESB-2009.0049
                  ESB-2008.1135
                  ESB-2008.0776
                  ESB-2008.0735
                  ESB-2008.0729
                  ESB-2008.0646
                  ESB-2008.0233
                  ESB-2008.0108

Revision History: January   8 2010: VMWare updated their advisory after release
                                    of ESX 4.0 patch for ESX400-200912404-SG on 
                                    2010-01-06.
                  November 23 2009: Updated after release of vCenter and ESX 
                                    Update 1 on 2009-11-19
                  October  19 2009: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -----------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2009-0014.2
Synopsis:          VMware ESX patches for DHCP, Service Console kernel,
                   and JRE resolve multiple security issues
Issue date:        2009-10-16
Updated on:        2010-01-06
CVE numbers:       CVE-2009-0692 CVE-2009-1893 CVE-2009-0692
                   CVE-2008-4210 CVE-2008-3275 CVE-2008-5356
                   CVE-2008-0598 CVE-2008-2136 CVE-2008-2812
                   CVE-2007-6063 CVE-2008-3525 CVE-2008-2086
                   CVE-2008-5347 CVE-2008-5348 CVE-2008-5349
                   CVE-2008-5350 CVE-2008-5351 CVE-2008-5352
                   CVE-2008-5353 CVE-2008-5354 CVE-2008-5357
                   CVE-2008-5358 CVE-2008-5359 CVE-2008-5360
                   CVE-2008-5339 CVE-2008-5342 CVE-2008-5344
                   CVE-2008-5345 CVE-2008-5346 CVE-2008-5340
                   CVE-2008-5341 CVE-2008-5343 CVE-2008-5355
                   CVE-2009-1093 CVE-2009-1094 CVE-2009-1095
                   CVE-2009-1096 CVE-2009-1097 CVE-2009-1098
                   CVE-2009-1099 CVE-2009-1100 CVE-2009-1101
                   CVE-2009-1102 CVE-2009-1103 CVE-2009-1104
                   CVE-2009-1105 CVE-2009-1106 CVE-2009-1107
- - -----------------------------------------------------------------------

1. Summary

   Updated DHCP and Kernel packages for ESX 3.5 and ESX 3.0.3 and
   updated Java JRE packages for ESX 3.5 address several security
   issues.

2. Relevant releases

   ESX 4.0 without patch ESX400-200912404-SG

   ESX 3.5 without patches ESX350-200910406-SG, ESX350-200910401-SG,
                           ESX350-200910403-SG
   ESX 3.0.3 without patch ESX303-200910402-SG

3. Problem Description

 a. Service Console update for DHCP and third party library update
    for DHCP client.

    DHCP is an Internet-standard protocol by which a computer can be
    connected to a local network, ask to be given configuration
    information, and receive from a server enough information to
    configure itself as a member of that network.

    A stack-based buffer overflow in the script_write_params method in
    ISC DHCP dhclient allows remote DHCP servers to execute arbitrary
    code via a crafted subnet-mask option.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2009-0692 to this issue.

    An insecure temporary file use flaw was discovered in the DHCP
    daemon's init script ("/etc/init.d/dhcpd"). A local attacker could
    use this flaw to overwrite an arbitrary file with the output of the
    "dhcpd -t" command via a symbolic link attack, if a system
    administrator executed the DHCP init script with the "configtest",
    "restart", or "reload" option.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2009-1893 to this issue.

    The following table lists what action remediates the vulnerability
    in the Service Console (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      not affected
    ESX            3.5       ESX      ESX350-200910406-SG
    ESX            3.0.3     ESX      ESX303-200910402-SG
    ESX            2.5.5     ESX      not affected

    ESX 3.5 and later have a DHCP client component outside of the
    Service Console. The following table lists what action remediates
    the vulnerability in this component (column 4) if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           4.0       ESXi     ESXi400-200911201-UG
    ESXi           3.5       ESXi     not affected

    ESX            4.0       ESX      ESX400-200912404-SG
    ESX            3.5       ESX      ESX350-200910401-SG
    ESX            3.0.3     ESX      not affected
    ESX            2.5.5     ESX      not affected

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 b. Updated Service Console package kernel

    Service Console package kernel update to version
    kernel-2.4.21-58.EL.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2008-4210, CVE-2008-3275, CVE-2008-0598,
    CVE-2008-2136, CVE-2008-2812, CVE-2007-6063, CVE-2008-3525 to the
    security issues fixed in kernel-2.4.21-58.EL

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        any       Windows  not applicable

    hosted *       any       any      not applicable

    ESXi           any       ESXi     not applicable

    ESX            4.0       ESX      not applicable
    ESX            3.5       ESX      ESX350-200910401-SG
    ESX            3.0.3     ESX      affected, no update planned
    ESX            2.5.5     ESX      not applicable

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 c. JRE Security Update

    JRE update to version 1.5.0_18, which addresses multiple security
    issues that existed in earlier releases of JRE.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the following names to the security issues fixed in
    JRE 1.5.0_17: CVE-2008-2086, CVE-2008-5347, CVE-2008-5348,
    CVE-2008-5349, CVE-2008-5350, CVE-2008-5351, CVE-2008-5352,
    CVE-2008-5353, CVE-2008-5354, CVE-2008-5356, CVE-2008-5357,
    CVE-2008-5358, CVE-2008-5359, CVE-2008-5360, CVE-2008-5339,
    CVE-2008-5342, CVE-2008-5344, CVE-2008-5345, CVE-2008-5346,
    CVE-2008-5340, CVE-2008-5341, CVE-2008-5343, and CVE-2008-5355.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the following names to the security issues fixed in
    JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,
    CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,
    CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,
    CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.

   The following table lists what action remediates the vulnerability
   (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    vCenter        4.0       Windows  see VMSA-2009-0016
    VirtualCenter  2.5       Windows  affected, patch pending **
    VirtualCenter  2.0.2     Windows  affected, patch pending

    Workstation    any       any      not affected

    Player         any       any      not affected

    Server         2.0       any      affected, patch pending
    Server         1.0       any      not affected

    ACE            any       any      not affected

    Fusion         any       any      not affected

    ESXi           any       ESXi     not affected

    ESX            4.0       ESX      see VMSA-2009-0016
    ESX            3.5       ESX      ESX350-200910403-SG
    ESX            3.0.3     ESX      affected, patch pending
    ESX            2.5.5     ESX      not affected

    ** JRE will be updated to version 1.5.0_20 in the next update release

    Notes: These vulnerabilities can be exploited remotely only if the
           attacker has access to the Service Console network.

           Security best practices provided by VMware recommend that the
           Service Console be isolated from the VM network. Please see
           http://www.vmware.com/resources/techresources/726 for more
           information on VMware security best practices.

           The currently installed version of JRE depends on your patch
           deployment history.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   ESXi
   ----
   ESXi400-200911201-UG (DHCP)
   ESXi-4.0.0-update01.zip
   md5sum: c6fdd6722d9e5cacb280bdcc2cca0627
   sha1sum: de9d4875f86b6493f9da991a8cff37784215db2e
   http://kb.vmware.com/kb/1014886

   ESX 4.0
   -------
   ESX400-200912404-SG (DHCP)
   http://download3.vmware.com/software/vi/ESX400-200912001.zip XXXXX
   md5sum: 78c6cf139b7941dc736c9d3a41deae77
   sha1sum: 36df3a675fbd3c8c8830f00637e37ee716bdac59
   http://kb.vmware.com/kb/1016294

   To install an individual bulletin use esxupdate with the -b option.
   esxupdate --bundle=ESX400-200912001.zip -b ESX400-200912404-SG
   update

   ESX 3.5
   -------
   ESX350-200910406-SG (DHCP Service Console)
   http://download3.vmware.com/software/vi/ESX350-200910406-SG.zip
   md5sum: dab682b1e3897fd43e2e7f90aa1156fc
   sha1sum: 0962718f65d4c2f76657369ada4a61848253174e
   http://kb.vmware.com/kb/1013129

   ESX350-200910401-SG (DHCP third party library, kernel)
   http://download3.vmware.com/software/vi/ESX350-200910401-SG.zip
   md5sum: 73435b0495a61b00bedbead140b2a262
   sha1sum: a957d57cf0df58d8a40759dce62efbf12a6c229c
   http://kb.vmware.com/kb/1013124

   ESX350-200910403-SG (JRE)
   http://download3.vmware.com/software/vi/ESX350-200910403-SG.zip
   md5sum: 0e90be5bd6aa986dc2356563e809a54f
   sha1sum: a5968cf6db78e28d79a4fd0b4df172cadf0f7129
   http://kb.vmware.com/kb/1013126

   ESX 3.0.3
   ---------
   ESX303-200910402-SG (DHCP Service Console)
   http://download3.vmware.com/software/vi/ESX303-200910402-SG.zip
   md5sum: 59a090cf37971e7f13385b9f53cdf3ca
   sha1sum: 3af9cf1b15dc151bce06c89cc0d81e1a7cf9c80e
   http://kb.vmware.com/kb/1014758

5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1893
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4210
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3275
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0598
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2136
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2812
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6063
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3525
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2086
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5347
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5348
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5349
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5350
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5351
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5352
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5354
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5356
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5357
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5358
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5359
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5360
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5339
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5342
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5344
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5345
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5346
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5340
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5341
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5343
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5355
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107

- - ------------------------------------------------------------------------
6. Change log

2009-10-16  VMSA-2009-0014
Initial security advisory after release of ESX 3.5 patch 18 and
ESX 3.0.3 patch 11 on 2009-10-16.
2009-11-20  VMSA-2009-0014.1
Updated after release of vCenter and ESX Update 1 on 2009-11-19.
2010-01-06  VMSA-2009-0014.2
Updated after release of ESX 4.0 patch for ESX400-200912404-SG
on 2010-01-06.

- - -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2009-2010 VMware Inc.  All rights reserved.

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFLRYoES2KysvBH1xkRAvNMAJ45ORPjjwN9Z3yDxa0HmvwHZcZIYgCeOgVM
gqnU3owlBs0MidINLQwD4AI=
=9Ct/
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://www.auscert.org.au/1967

iD8DBQFLRnaiNVH5XJJInbgRAoUfAJ9/B1R7h+7DIv9nDc+VEDA/fpjV5gCcCkKI
VYWV6iwq5Nho3rQihdG60DY=
=ei5+
-----END PGP SIGNATURE-----