Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.1013 -- [Win][Linux]
VMware NAT Service vulnerable to buffer overflow via FTP PORT/EPRT commands
28 December 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMWare Workstation 5.5 and prior
VMWare GSX Server 3.2 and prior
VMWare ACE 1.0.1 and prior
VMWare Player 1.0 and prior
Publisher: US-CERT
Operating System: Windows
Linux variants
Impact: Root Compromise
Administrator Compromise
Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2005-4459
Original Bulletin: http://www.kb.cert.org/vuls/id/856689
- --------------------------BEGIN INCLUDED TEXT--------------------
US-CERT Vulnerability Note VU#856689
VMware NAT Service vulnerable to buffer overflow via FTP PORT/EPRT commands
Overview
The VMware NAT Service used in multiple VMware products contains a buffer
overflow in the way it handles FTP PORT and EPRT commands. An attacker
could execute arbitrary code with the privileges of the NAT service or
cause a denial of service.
I. Description
VMware virtualization software provides Network Address Translation (NAT)
for guest systems to access networks. The VMware NAT Service does not
adequately validate parameters to the PORT and EPRT commands. As a result,
specially crafted PORT or EPRT commands can trigger a buffer overflow.
VMware Workstation, GSX Server, ACE, and Player products for Windows,
Linux, and Solaris host platforms are affected. Additional information
is available in VMware Knowledge Base Answer ID 2000.
To exploit this vulnerability, an attacker would need to convince a user
to run code provided by the attacker on a VMware guest/virtual system.
The attacker could then cross the boundary of the guest system and run
arbitrary code within the context of the NAT process on the VMware host
system. This attack vector may be of particular concern to users who
intentionally run untrusted code in VMware environments. An attacker
could also exploit this vulnerability remotely if the VMware NAT Service
is configured to forward connections to guest/virtual systems. By default,
the VMware NAT Service is not configured to forward connections, and in
either scenario it may be necessary for the attacker to connect to an
FTP server in order to issue crafted PORT or EPRT commands.
II. Impact
An attacker could execute arbitrary code with the privileges of the
VMware NAT Service (Local System on Windows platforms, root on Linux
platforms) or cause a denial of service.
III. Solution
Upgrade
This vulnerability is addressed in:
* VMware Workstation 5.5.1
* VMware GSX Server 3.2.1
* VMware ACE 1.0.2
* VMware Player 1.0.1
The latest releases of these products are available from the VMware
Download Center.
Disable VMware NAT Service
Disable the VMware NAT Service as described in VMware Knowledge Base
Answer ID 2002.
Systems Affected
Vendor Status Date Updated
VMware Vulnerable 21-Dec-2005
References
http://archives.neohapsis.com/archives/fulldisclosure/2005-12/1068.html
http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=2000
http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=2002
http://www.vmware.com/download/
http://www.ietf.org/rfc/rfc1631.txt
http://www.ietf.org/rfc/rfc2428.txt
http://secunia.com/advisories/18162/
http://www.securityfocus.com/bid/15998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-4459
Credit
This vulnerability was reported by Tim Shelton.
This document was written by Art Manion.
Other Information
Date Public 12/21/2005
Date First Published 12/21/2005 05:26:43 PM
Date Last Updated 12/23/2005
CERT Advisory
CVE Name CVE-2005-4459
Metric 4.36
Document Revision 24
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQ7ILPyh9+71yA2DNAQJdsgQAlBNeDVTSDLAENb2PQmQD39KrvysFGSVR
IVYHX9XccMgrEV72biGTQ/LO8+G/ZnyKTKOasHVZWu6wNLcMQmPN//89ol5txC66
g7FQprpPWKj4jvuAfCnssMY8yxRQrcghjPZ785zkd49MzSXYXHrinrnXdJQuFZ3U
9e23nqakKLg=
=5u7g
-----END PGP SIGNATURE-----