Published:
15 November 2006
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0843 -- [VMware ESX] Updated VMware ESX Server packages address several security issues 15 November 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware ESX Server 2.5.4 Upgrade Patch 1 VMware ESX Server 2.5.3 Upgrade Patch 4 VMware ESX Server 2.1.3 Upgrade Patch 2 VMware ESX Server 2.0.2 Upgrade Patch 2 Publisher: VMware Impact: Execute Arbitrary Code/Commands Denial of Service Access Privileged Data Inappropriate Access Access: Remote/Unauthenticated CVE Names: CVE-2006-3467 CVE-2006-3403 CVE-2006-2071 CVE-2006-2069 CVE-2006-1864 CVE-2006-1343 CVE-2006-1342 CVE-2006-1056 CVE-2005-2491 CVE-2005-2177 CVE-2004-2069 Ref: ESB-2006.0804 ESB-2006.0737 ESB-2006.0576 ESB-2006.0479 ESB-2006.0451 ESB-2006.0380 ESB-2005.0753 Original Bulletin: http://www.vmware.com/download/esx/esx-254-200610-patch.html http://www.vmware.com/download/esx/esx-253-200610-patch.html http://www.vmware.com/download/esx/esx-213-200610-patch.html http://www.vmware.com/download/esx/esx-202-200610-patch.html Comment: Note that this bulletin contains four VMWare advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - - ------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2006-0008 Synopsis: VMware ESX Server 2.0.2 Upgrade Patch 2 Patch URL: http://www.vmware.com/download/esx/esx-202-200610-patch.html Issue date: 2006-10-31 Updated on: 2006-11-13 CVE Names: CAN-2004-2069 CVE-2006-3403 CVE-2005-2177 CVE-2006-3467 CVE-2006-1342 CVE-2006-1343 CVE-2006-1864 CVE-2006-2071 - - - ------------------------------------------------------------------- 1. Summary: Updated package addresses several security issues. 2. Relevant releases: VMware ESX 2.0.2 prior to upgrade patch 2 3. Problem description: This patch addresses the following security issues: Openssh -- A bug was found in the way the OpenSSH server handled the MaxStartups and LoginGraceTime configuration variables. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2004-2069 to this issue. samba -- A denial of service bug was found in the way the smbd daemon tracks active connections to shares. It was possible for a remote attacker to cause the smbd daemon to consume a large amount of system memory by sending carefully crafted smb requests. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-3403 to this issue. Python -- An integer overflow flaw was found in Python's PCRE library that could be triggered by a maliciously crafted regular expression. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the application using the library. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-2491 to this issue. ucd-snmp -- A denial of service bug was found in the way ucd-snmp uses network stream protocols. A remote attacker could send a ucd-snmp agent a specially crafted packet which will cause the agent to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-2177 to this issue. XFree86 -- An integer overflow flaw in the way the XFree86 server processes PCF font files was discovered. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-3467 to this issue. A minor info leak in socket name handling in the network code (CVE-2006-1342). A minor info leak in socket option handling in the network code (CVE-2006-1343). A directory traversal vulnerability in smbfs that allowed a local user to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences (CVE-2006-1864). A flaw in the mprotect system call that allowed to give write permission to a readonly attachment of shared memory (CVE-2006-2071). NOTE: AMD processers were not supported in the VMware ESX 2.0.2 release so CVE-2006-1056 is not applicable to this version of the product. The non-security-related fixes are documented on the patch download page. 4. Solution: Upgrade to the latest update package for your release of ESX. http://www.vmware.com/download/esx/ http://www.vmware.com/download/esx/esx-202-200610-patch.html he md5 checksum output should match the following: 9e79d333ac9360122fb69bc8fc549405 esx-2.0.2-31924-upgrade.tar.gz 5. References: http://www.vmware.com/download/esx/esx-202-200610-patch.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1343 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2071 http://www.vmware.com/products/esx/ http://www.vmware.com/download/esx/ 6. Contact: http://www.vmware.com/security VMware Security Response Policy http://www.vmware.com/vmtn/technology/security/security_response.html E-mail: security@vmware.com Copyright 2006 VMware Inc. All rights reserved. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFWP5W6KjQhy2pPmkRCDVzAJ9O3O4zIUSmEW9i4NyvxKxd1xUMLwCfRrYT PiCazE9ioHCf33AaY31k8mU= =U+XZ - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - - ------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2006-0007 Synopsis: VMware ESX Server 2.1.3 Upgrade Patch 2 Patch URL: http://www.vmware.com/download/esx/esx-213-200610-patch.html Issue date: 2006-10-31 Updated on: 2006-11-13 CVE Names: CAN-2004-2069 CVE-2006-3403 CVE-2005-2177 CVE-2006-3467 CVE-2006-1056 CVE-2006-1342 CVE-2006-1343 CVE-2006-1864 CVE-2006-2071 - - - ------------------------------------------------------------------- 1. Summary: Updated package addresses several security issues. 2. Relevant releases: VMware ESX 2.1.3 prior to upgrade patch 2 3. Problem description: This patch addresses the following security issues: Openssh -- A bug was found in the way the OpenSSH server handled the MaxStartups and LoginGraceTime configuration variables. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2004-2069 to this issue. samba -- A denial of service bug was found in the way the smbd daemon tracks active connections to shares. It was possible for a remote attacker to cause the smbd daemon to consume a large amount of system memory by sending carefully crafted smb requests. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-3403 to this issue. Python -- An integer overflow flaw was found in Python's PCRE library that could be triggered by a maliciously crafted regular expression. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the application using the library. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-2491 to this issue. ucd-snmp -- A denial of service bug was found in the way ucd-snmp uses network stream protocols. A remote attacker could send a ucd-snmp agent a specially crafted packet which will cause the agent to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-2177 to this issue. XFree86 -- An integer overflow flaw in the way the XFree86 server processes PCF font files was discovered. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-3467 to this issue. An AMD fxsave/restore security vulnerability. The instructions fxsave and fxrstor on AMD CPUs are used to save or restore the FPU registers (FOP, FIP and FDP). On AMD Opteron processors, these instructions do not save/restore some exception related registers unless an exception is currently being serviced. This could allow a local attacker to partially monitor the execution path of FPU processes, possibly allowing them to obtain sensitive information being passed through those processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-1056 to this issue. A minor info leak in socket name handling in the network code (CVE-2006-1342). A minor info leak in socket option handling in the network code (CVE-2006-1343). A directory traversal vulnerability in smbfs that allowed a local user to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences (CVE-2006-1864). A flaw in the mprotect system call that allowed to give write permission to a readonly attachment of shared memory (CVE-2006-2071). The non-security-related fixes are documented on the patch download page. 4. Solution: Upgrade to the latest update package for your release of ESX. http://www.vmware.com/download/esx/ http://www.vmware.com/download/esx/esx-213-200610-patch.html The md5 checksum output should match the following: c7057896ee275ce28b0b94a2186c1232 esx-2.1.3-24171-upgrade.tar.gz 5. References: http://www.vmware.com/download/esx/esx-213-200610-patch.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1056 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1343 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2071 http://www.vmware.com/products/esx/ http://www.vmware.com/download/esx/ 6. Contact: http://www.vmware.com/security VMware Security Response Policy http://www.vmware.com/vmtn/technology/security/security_response.html E-mail: security@vmware.com Copyright 2006 VMware Inc. All rights reserved. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFWP5M6KjQhy2pPmkRCGbTAJ9a4PnHLWO6HwHQKzVPj1VI9V0dVQCdETxH ISqiyTar1d433nMH9q/JvxA= =cesx - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - - ------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2006-0006 Synopsis: VMware ESX Server 2.5.3 Upgrade Patch 4 Patch URL: http://www.vmware.com/download/esx/esx-253-200610-patch.html Issue date: 2006-10-31 Updated on: 2006-11-13 CVE Names: CAN-2004-2069 CVE-2006-3403 CVE-2005-2177 CVE-2006-3467 CVE-2006-1056 CVE-2006-1342 CVE-2006-1343 CVE-2006-1864 CVE-2006-2071 - - - ------------------------------------------------------------------- 1. Summary: Updated package addresses several security issues. 2. Relevant releases: VMware ESX 2.5.3 prior to upgrade patch 4 3. Problem description: This patch addresses the following security issues: Openssh -- A bug was found in the way the OpenSSH server handled the MaxStartups and LoginGraceTime configuration variables. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2004-2069 to this issue. samba -- A denial of service bug was found in the way the smbd daemon tracks active connections to shares. It was possible for a remote attacker to cause the smbd daemon to consume a large amount of system memory by sending carefully crafted smb requests. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-3403 to this issue. Python -- An integer overflow flaw was found in Python's PCRE library that could be triggered by a maliciously crafted regular expression. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the application using the library. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-2491 to this issue. ucd-snmp -- A denial of service bug was found in the way ucd-snmp uses network stream protocols. A remote attacker could send a ucd-snmp agent a specially crafted packet which will cause the agent to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-2177 to this issue. XFree86 -- An integer overflow flaw in the way the XFree86 server processes PCF font files was discovered. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-3467 to this issue. An AMD fxsave/restore security vulnerability. The instructions fxsave and fxrstor on AMD CPUs are used to save or restore the FPU registers (FOP, FIP and FDP). On AMD Opteron processors, these instructions do not save/restore some exception related registers unless an exception is currently being serviced. This could allow a local attacker to partially monitor the execution path of FPU processes, possibly allowing them to obtain sensitive information being passed through those processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-1056 to this issue. A minor info leak in socket name handling in the network code (CVE-2006-1342). A minor info leak in socket option handling in the network code (CVE-2006-1343). A directory traversal vulnerability in smbfs that allowed a local user to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences (CVE-2006-1864). A flaw in the mprotect system call that allowed to give write permission to a readonly attachment of shared memory (CVE-2006-2071). The non-security-related fixes are documented on the patch download page. 4. Solution: Upgrade to the latest update package for your release of ESX. http://www.vmware.com/download/esx/ http://www.vmware.com/download/esx/esx-253-200610-patch.html The md5 checksum output should match the following: 4852f5a00e29b5780d9d0fadc0d28f3e esx-2.5.3-32134-upgrade.tar.gz Please DO NOT apply this patch on SunFire X4100 or X4200 servers. For further details, please refer to knowledge base article 2085: Installing ESX 2.5.3 on SunFire x4100 and x4200 Servers. http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=2085 5. References: http://www.vmware.com/download/esx/esx-253-200610-patch.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1056 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1343 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2071 http://www.vmware.com/products/esx/ http://www.vmware.com/download/esx/ 6. Contact: http://www.vmware.com/security VMware Security Response Policy http://www.vmware.com/vmtn/technology/security/security_response.html E-mail: security@vmware.com Copyright 2006 VMware Inc. All rights reserved. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFWP476KjQhy2pPmkRCD9rAKC9xQ9ej+t23opBsZn5BY6w736lmQCfQ9WA 5PuJxKgAYF2RTeQoXM7lr1I= =miw3 - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - - ------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2006-0005 Synopsis: VMware ESX Server 2.5.4 Upgrade Patch 1 Patch URL: http://www.vmware.com/download/esx/esx-254-200610-patch.html Issue date: 2006-10-31 Updated on: 2006-11-13 CVE Names: CVE-2005-2177 CVE-2006-3467 CVE-2006-1056 CVE-2006-1342 CVE-2006-1343 CVE-2006-1864 CVE-2006-2071 - - - ------------------------------------------------------------------- 1. Summary: Updated package addresses several security issues. 2. Relevant releases: VMware ESX 2.5.4 prior to upgrade patch 1 3. Problem description: This patch addresses the following security issues: ucd-snmp -- A denial of service bug was found in the way ucd-snmp uses network stream protocols. A remote attacker could send a ucd-snmp agent a specially crafted packet which will cause the agent to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-2177 to this issue. XFree86 -- An integer overflow flaw in the way the XFree86 server processes PCF font files was discovered. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-3467 to this issue. An AMD fxsave/restore security vulnerability. The instructions fxsave and fxrstor on AMD CPUs are used to save or restore the FPU registers (FOP, FIP and FDP). On AMD Opteron processors, these instructions do not save/restore some exception related registers unless an exception is currently being serviced. This could allow a local attacker to partially monitor the execution path of FPU processes, possibly allowing them to obtain sensitive information being passed through those processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-1056 to this issue. A minor info leak in socket name handling in the network code (CVE-2006-1342). A minor info leak in socket option handling in the network code (CVE-2006-1343). A directory traversal vulnerability in smbfs that allowed a local user to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences (CVE-2006-1864). A flaw in the mprotect system call that allowed to give write permission to a readonly attachment of shared memory (CVE-2006-2071). The non-security-related fixes are documented on the patch download page. 4. Solution: Upgrade to the latest update package for your release of ESX. http://www.vmware.com/download/esx/ http://www.vmware.com/download/esx/esx-254-200610-patch.html The md5 checksum output should match the following: 6bc66a5cdbfea08f762f375f2488998b esx-2.5.4-32461-upgrade.tar.gz 5. References: http://www.vmware.com/download/esx/esx-254-200610-patch.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1056 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1343 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2071 http://www.vmware.com/products/esx/ http://www.vmware.com/download/esx/ 6. Contact: http://www.vmware.com/security VMware Security Response Policy http://www.vmware.com/vmtn/technology/security/security_response.html E-mail: security@vmware.com Copyright 2006 VMware Inc. All rights reserved. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFWP4q6KjQhy2pPmkRCJLcAKC8hclWfRdKXjT8RfYEsLykp1lcOQCfZvve Wm8ulAa7VayW5kYj/a75mcg= =rbyq - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRVquOSh9+71yA2DNAQL1cQP/dt92X49aE3Teb1WhTpzvZddjkOT4NIbk 2+Bsil0bLrj50aAFdWYBSbJuCJvU5T++BpoOJrUbPfG+HayGCo7uy8w4z917ERjo B22Ko0QmKRKt4de/Bttpy61znjr1u9QjGWRIKsrCR985cBBshpJgEsfD5Yz7rY+1 GabdmeaI9jQ= =h5RB -----END PGP SIGNATURE-----