exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VMware Security Advisory 2008-0005

VMware Security Advisory 2008-0005
Posted Mar 19, 2008
Authored by VMware | Site vmware.com

VMware Security Advisory - VMWare has addressed a folder traversal vulnerability, an insecure named pipe vulnerability, libpng, and various other bits and pieces.

tags | advisory
advisories | CVE-2008-0923, CVE-2008-0923, CVE-2008-1361, CVE-2008-1362, CVE-2007-5269, CVE-2006-2940, CVE-2006-2937, CVE-2006-4343, CVE-2006-4339, CVE-2007-5618, CVE-2008-1364, CVE-2008-1363, CVE-2008-1340
SHA-256 | 42fe37cf6697bb1a04612faac0d018560285c356a5e5480bf92552485d44e572

VMware Security Advisory 2008-0005

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
~ VMware Security Advisory

Advisory ID: VMSA-2008-0005
Synopsis: Updated VMware Workstation, VMware Player, VMware
~ Server, VMware ACE, and VMware Fusion resolve
~ critical security issues
Issue date: 2008-03-17
Updated on: 2008-03-17 (initial release of advisory)
CVE numbers: CVE-2008-0923 CVE-2008-0923 CVE-2008-1361
~ CVE-2008-1362 CVE-2007-5269 CVE-2006-2940
~ CVE-2006-2937 CVE-2006-4343 CVE-2006-4339
~ CVE-2007-5618 CVE-2008-1364 CVE-2008-1363
~ CVE-2008-1340
- -------------------------------------------------------------------

1. Summary:

~ Several critical security vulnerabilities have been addressed
~ in the newest releases of VMware's hosted product line.

2. Relevant releases:

~ VMware Workstation 6.0.2 and earlier
~ VMware Workstation 5.5.4 and earlier
~ VMware Player 2.0.2 and earlier
~ VMware Player 1.0.4 and earlier
~ VMware ACE 2.0.2 and earlier
~ VMware ACE 1.0.2 and earlier
~ VMware Server 1.0.4 and earlier
~ VMware Fusion 1.1 and earlier

3. Problem description:

~ a. Host to guest shared folder (HGFS) traversal vulnerability

~ On Windows hosts, if you have configured a VMware host to guest
~ shared folder (HGFS), it is possible for a program running in the
~ guest to gain access to the host's file system and create or modify
~ executable files in sensitive locations.

NOTE: VMware Server is not affected because it doesn't use host to
~ guest shared folders. No versions of ESX Server, including
~ ESX Server 3i, are affected by this vulnerability. Because
~ ESX Server is based on a bare-metal hypervisor architecture
~ and not a hosted architecture, and it doesn't include any
~ shared folder abilities. Fusion and Linux based hosted
~ products are unaffected.

~ VMware would like to thank CORE Security Technologies for
~ working with us on this issue. This addresses advisory
~ CORE-2007-0930.

~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ has assigned the name CVE-2008-0923 to this issue.

~ Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~ VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~ VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
~ VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
~ VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)

~ b. Insecure named pipes

~ An internal security audit determined that a malicious Windows
~ user could attain and exploit LocalSystem privileges by causing
~ the authd process to connect to a named pipe that is opened and
~ controlled by the malicious user.

~ The same internal security audit determined that a malicious
~ Windows user could exploit an insecurely created named pipe
~ object to escalate privileges or create a denial of service
~ attack. In this situation, the malicious user could
~ successfully impersonate authd and attain privileges under
~ which Authd is executing.

~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ has assigned the names CVE-2008-1361, CVE-2008-1362 to these
~ issues.

~ Windows Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~ VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~ VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
~ VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
~ VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
~ VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)

~ c. Updated libpng library to version 1.2.22 to address various
~ security vulnerabilities

~ Several flaws were discovered in the way libpng handled various PNG
~ image chunks. An attacker could create a carefully crafted PNG
~ image file in such a way that it could cause an application linked
~ with libpng to crash when the file was manipulated.

~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ has assigned the name CVE-2007-5269 to this issue.

~ Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~ VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~ VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
~ VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
~ VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
~ VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)

~ NOTE: Fusion is not affected by this issue.

~ d. Updated OpenSSL library to address various security vulnerabilities

~ Updated OpenSSL fixes several security flaws were discovered
~ in previous versions of OpenSSL.

~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ assigned the following names to these issues: CVE-2006-2940,
~ CVE-2006-2937, CVE-2006-4343, CVE-2006-4339.

~ Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~ VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~ VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
~ VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
~ VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
~ VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)

~ NOTE: Fusion is not affected by this issue.

~ e. VIX API default setting changed to a more secure default value

~ Workstation 6.0.2 allowed anonymous console access to the guest by
~ means of the VIX API. This release, Workstation 6.0.3, disables
~ this feature. This means that the Eclipse Integrated Virtual
~ Debugger and the Visual Studio Integrated Virtual Debugger will now
~ prompt for user account credentials to access a guest.

~ Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~ VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)

~ f. Windows 2000 based hosted products privilege escalation
~ vulnerability

~ This release addresses a potential privilege escalation on
~ Windows 2000 hosted products. Certain services may be improperly
~ registered and present a security vulnerability to Windows 2000
~ machines.

~ VMware would like to thank Ray Hicken for reporting this issue and
~ David Maciejak for originally pointing out these types of
~ vulnerabilities.

~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ assigned the name CVE-2007-5618 to this issue.

~ Windows versions of Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~ VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~ VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
~ VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
~ VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
~ VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)

~ NOTE: Fusion and Linux based products are not affected by this
~ issue.

~ g. DHCP denial of service vulnerability

~ A potential denial of service issue affects DHCP service running
~ on the host.

~ VMware would like to thank Martin O'Neal for reporting this issue.

~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ assigned the name CVE-2008-1364 to this issue.

~ Hosted products
~ ---------------
~ VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~ VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
~ VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
~ VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
~ VMware Fusion 1.1 upgrade to version 1.1.1 (Build# 72241)

~ NOTE: This issue doesn't affect the latest versions of VMware
~ Workstation 6, VMware Player 2, and ACE 2 products.

~ h. Local Privilege Escalation on Windows based platforms by
~ Hijacking VMware VMX configuration file

~ VMware uses a configuration file named "config.ini" which
~ is located in the application data directory of all users.
~ By manipulating this file, a user could gain elevated
~ privileges by hijacking the VMware VMX process.

~ VMware would like to thank Sun Bing for reporting the issue.

~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ assigned the name CVE-2008-1363 to this issue.

~ Windows based Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~ VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~ VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
~ VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
~ VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
~ VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)

~ i. Virtual Machine Communication Interface (VMCI) memory corruption
~ resulting in denial of service

~ VMCI was introduced in VMware Workstation 6.0, VMware Player 2.0,
~ and VMware ACE 2.0. It is an experimental, optional feature and
~ it may be possible to crash the host system by making specially
~ crafted calls to the VMCI interface. This may result in denial
~ of service via memory exhaustion and memory corruption.

~ VMware would like to thank Andrew Honig of the Department of
~ Defense for reporting this issue.

~ The Common Vulnerabilities and Exposures project (cve.mitre.org)
~ assigned the name CVE-2008-1340 to this issue.

~ Hosted products
~ ---------------
~ VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~ VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)

4. Solution:

Please review the Patch notes for your product and version and verify
the md5sum of your downloaded file.

~ VMware Workstation 6.0.3
~ ------------------------
~ http://www.vmware.com/download/ws/
~ Release notes:
~ http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
~ Windows binary
~ md5sum: 323f054957066fae07735160b73b91e5
~ RPM Installation file for 32-bit Linux
~ md5sum: c44183ad11082f05593359efd220944e
~ tar Installation file for 32-bit Linux
~ md5sum: 57601f238106cb12c1dea303ad1b4820
~ RPM Installation file for 64-bit Linux
~ md5sum: e9ba644be4e39556724fa2901c5e94e9
~ tar Installation file for 64-bit Linux
~ md5sum: d8d423a76f99a94f598077d41685e9a9

~ VMware Workstation 5.5.5
~ ------------------------
~ http://www.vmware.com/download/ws/ws5.html
~ Release notes:
~ http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html
~ Windows binary
~ md5sum: 9c2dd94db5eed93d7f64e8d6ba8d8bd3
~ Compressed Tar archive for 32-bit Linux
~ md5sum: 77401c0842a151f0b2db0b4fcb0d16eb
~ Linux RPM version for 32-bit Linux
~ md5sum: c222b6db934deb9c1bb79b16b25a3202

~ VMware Server 1.0.5
~ -------------------
~ http://www.vmware.com/download/server/
~ Release notes:
~ http://www.vmware.com/support/server/doc/releasenotes_server.html
~ VMware Server for Windows 32-bit and 64-bit
~ md5sum: 3c4a57310c55e17bf8e4a1059d5b36cc
~ VMware Server Windows client package
~ md5sum: cb3dd2439203dc510f4d95f06ba59d21
~ VMware Server for Linux
~ md5sum: 161dcbe5af9bbd9834a86bf7c599903e
~ VMware Server for Linux rpm
~ md5sum: fc3b81ed18b53eda943a992971e9f84a
~ Management Interface
~ md5sum: dd10d25895d9994bd27ca896152f48ef
~ VMware Server Linux client package
~ md5sum: aae18f1f7b8811b5499e3a358754d4f8

~ VMware ACE 2.0.3 and 1.0.5
~ --------------------------
~ http://www.vmware.com/download/ace/
~ Windows Release notes:
~ http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html

~ VMware Fusion 1.1.1
~ -------------------
~ http://www.vmware.com/download/fusion/
~ Release notes:
~ http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html
~ md5sum: 38e116ec26b30e7a6ac47c249ef650d0

~ VMware Player 2.0.3 and 1.0.6
~ ----------------------
~ http://www.vmware.com/download/player/
~ Release notes Player 1.x:
~ http://www.vmware.com/support/player/doc/releasenotes_player.html
~ Release notes Player 2.0
~ http://www.vmware.com/support/player2/doc/releasenotes_player2.html
~ 2.0.3 Windows binary
~ md5sum: 0c5009d3b569687ae139e13d24c868d3
~ VMware Player 2.0.3 for Linux (.rpm)
~ md5sum: 53502b2112a863356dcd13dd0d8dd8f2
~ VMware Player 2.0.3 for Linux (.tar)
~ md5sum: 2305fcff49bef6e4ad83742412eac978
~ VMware Player 2.0.3 - 64-bit (.rpm)
~ md5sum: cf945b571c4d96146ede010286fdfca5
~ VMware Player 2.0.3 - 64-bit (.tar)
~ md5sum: f99c5b293eb87c5f918ad24111565b9f
~ 1.0.6 Windows binary
~ md5sum: 895081406c4de5361a1700ec0473e49c
~ Player 1.0.6 for Linux (.rpm)
~ md5sum: 8adb23799dd2014be0b6d77243c76942
~ Player 1.0.6 for Linux (.tar)
~ md5sum: c358f8e1387fb60863077d6f8a9f7b3f

5. References:

~ CVE numbers
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0923
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1361
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1362
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5618
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1364
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1363
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1340

- -------------------------------------------------------------------
6. Contact:

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

~ * security-announce@lists.vmware.com
~ * bugtraq@securityfocus.com
~ * full-disclosure@lists.grok.org.uk

E-mail: security@vmware.com

Security web site
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFH3yTxS2KysvBH1xkRCHq8AJ0QOMocv/gSz/hgdojA39PGVO6pUACePCRv
Cv8MnL2bYPyDfYQ3f4IUL+w=
=tFXS
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close