-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                       ESB-2008.0023 -- [VMware ESX]
       Moderate OpenPegasus PAM Authentication Buffer, Overflow and
                     updated service console packages
                              23 January 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              ESX Server 3.0.2 without patches ESX-1002969,
                          ESX-1002970, ESX-1002971, ESX-1002975, ESX-1002976
                      ESX Server 3.0.1 without patches ESX-1002962,
                          ESX-1002963, ESX-1002964, ESX-1002968, ESX-1002972,
                          ESX-1003176
Publisher:            VMWare
Operating System:     VMWare ESX Server
Impact:               Root Compromise
                      Execute Arbitrary Code/Commands
                      Increased Privileges
                      Access Privileged Data
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-5398 CVE-2007-5360 CVE-2007-5191
                      CVE-2007-5135 CVE-2007-5116 CVE-2007-4572
                      CVE-2007-3108

Revision History:     January 23 2008: Updated Relevant releases
                      January  8 2008: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2008-0001.1
Synopsis:          Moderate OpenPegasus PAM Authentication Buffer
                   Overflow and updated service console packages
Issue date:        2008-01-07
Updated on:        2008-01-22
CVE numbers:       CVE-2007-5360 CVE-2007-5398 CVE-2007-4572
                   CVE-2007-5191 CVE-2007-5116 CVE-2007-3108
                   CVE-2007-5135
- - -------------------------------------------------------------------

1. Summary:

Updated service console patches

2. Relevant releases:

ESX Server 3.5 without patches ESX350-200712402-SG, ESX350-200712403-SG,
ESX350-200712404-SG

ESX Server 3.0.2 without patches ESX-1002969, ESX-1002970, ESX-1002971,
ESX-1002975, ESX-1002976

ESX Server 3.0.1 without patches ESX-1002962, ESX-1002963, ESX-1002964,
ESX-1002968, ESX-1002972, ESX-1003176

ESX Server 2.5.5 before Upgrade Patch 3
ESX Server 2.5.5 before Upgrade Patch 14

3. Problem description:

 I   Service Console package security updates

   a. OpenPegasus PAM Authentication Buffer Overflow

   Alexander Sotirov from VMware Security Research discovered a
   buffer overflow vulnerability in the OpenPegasus Management server.
   This flaw could be exploited by a malicious remote user on the
   service console network to gain root access to the service console.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2007-5360 to this issue.

   RPM Updated: pegasus-2.5-552927
   VM Shutdown: No
   Host Reboot: No

   Note: ESX Server 3.5 and ESX Server 3i are not affected by this
         issue.

   ESX Server 3.0.2
   http://download3.vmware.com/software/vi/ESX-1002970.tgz
   md5sum: d19115e965d486e72100ce489efea707
   http://kb.vmware.com/kb/1002970

   ESX Server 3.0.1
   http://download3.vmware.com/software/vi/ESX-1003176.tgz
   md5sum: 5674ca0dcfac90726014cc316444996e
   http://kb.vmware.com/kb/1003176

   ESX Server 2.5.x

   Users should remove the OpenPegasus CIM Management rpm.  This
   component is disabled by default, and VMware recommends that you
   do not use this component of ESX Server 2.x.  If you want to
   use the CIM functionality, upgrade to ESX Server 3.0.1 or a later
   release.

   Note: This vulnerability can be exploited remotely only if the
         attacker has access to the service console network.

         Security best practices provided by VMware recommend that the
         service console be isolated from the VM network. Please see
         http://www.vmware.com/resources/techresources/726 for more
         information on VMware security best practices.


   b.   Updated Samba package

        An issue where attackers on the service console management
        network can cause a stack-based buffer overflow in the
        reply_netbios_packet function of nmbd in Samba. On systems
        where Samba is being used as a WINS server, exploiting this
        vulnerability can allow remote attackers to execute arbitrary
        code via crafted WINS Name Registration requests followed by a
        WINS Name Query request.

        An issue where attackers on the service console management
        network can exploit a vulnerability that occurs when Samba is
        configured as a Primary or Backup Domain controller. The
        vulnerability allows remote attackers to have an unknown impact
        via crafted GETDC mailslot requests, related to handling of
        GETDC logon server requests.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the names CVE-2007-5398 and CVE-2007-4572 to these
        issues.

  Note: By default Samba is not configured as a WINS server or a domain
        controller and ESX is not vulnerable unless the administrator
        has changed the default configuration.

        This vulnerability can be exploited remotely only if the
        attacker has access to the service console network.

        Security best practices provided by VMware recommend that the
        service console be isolated from the VM network. Please see
        http://www.vmware.com/resources/techresources/726 for more
        information on VMware security best practices.

        RPM Updated:
        samba-3.0.9-1.3E.14.1vmw
        samba-client-3.0.9-1.3E.14.1vmw
        samba-common-3.0.9-1.3E.14.1vmw

        VM Shutdown: Yes
        Host Reboot: Yes

        ESX Server 3.5.0
        http://download3.vmware.com/software/vi/ESX350-200712402-SG
        md5sum: d83eeef80e27b739546915bc17390ac0
        http://kb.vmware.com/kb/1003204

        ESX Server 3.0.2
        http://download3.vmware.com/software/vi/ESX-1002975.tgz
        md5sum: 797a7494c2c4eb49629d3f94818df5dd
        http://kb.vmware.com/kb/1002975

        ESX Server 3.0.1
        http://download3.vmware.com/software/vi/ESX-1002968.tgz
        md5sum: 5106d90afaf77c3a0d8433487f937d06
        http://kb.vmware.com/kb/1002968

        ESX Server 2.5.5 download Upgrade Patch 3
        ESX Server 2.5.4 download Upgrade Patch 14

   c.   Updated util-linux package

        The patch addresses an issue where the mount and umount
        utilities in util-linux call the setuid and setgid functions in
        the wrong order and do not check the return values, which could
        allow attackers to gain elevated privileges via helper
        application such as mount.nfs.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CVE-2007-5191 to this issue.

        RPM Updated:
        util-linux-2.11y-31.24vmw
        losetup-2.11y-31.24vmw
        mount -2.11y-31.24vmw

        VM Shutdown: Yes
        Host Reboot: Yes

        ESX Server 3.5
        http://download3.vmware.com/software/vi/ESX350-200712403-SG.zip
        md5sum: 0656cc3da5a92b22a337ad27ae6f8a6b
        http://kb.vmware.com/kb/1003205

        ESX Server 3.0.2
        http://download3.vmware.com/software/vi/ESX-1002976.tgz
        md5sum: 0fe833c50c0ecb0ff9340d6674be2e43
        http://kb.vmware.com/kb/1002976

        ESX Server 3.0.1
        http://download3.vmware.com/software/vi/ESX-1002972.tgz
        md5sum: 59ca4a43f330c5f0b7a55693aa952cdc
        http://kb.vmware.com/kb/1002972


   d.   Updated Perl package

        The update addresses an issue where the regular expression
        engine in Perl can be used to issue a specially crafted regular
        expression that allows the attacker to run arbitrary code with
        the permissions level of the current Perl user.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CVE-2007-5116 to this issue.

        RPM Updated:
        perl-5.8.0-97.EL3

        VM Shutdown: Yes
        Host Reboot: Yes

        ESX Server 3.5
        http://download3.vmware.com/software/vi/ESX350-200712404-SG.zip
        md5sum: 8f75050d73289cdf74563fa7e494d935
        http://kb.vmware.com/kb/1003206

        ESX Server 3.0.2
        http://download3.vmware.com/software/vi/ESX-1002971.tgz
        md5sum: 337b09d9ae4b1694a045e216b69765e1
        http://kb.vmware.com/kb/1002971

        ESX Server 3.0.1
        http://download3.vmware.com/software/vi/ESX-1002964.tgz
        md5sum: d47e26104bfd5e4018ae645638c94487
        http://kb.vmware.com/kb/1002964


   e.   Updated OpenSSL package

        A flaw in the SSL_get_shared_ciphers() function could allow an
        attacker to cause a buffer overflow problem by sending ciphers
        to applications that use the function.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the names CVE-2007-3108, and CVE-2007-5135 to these
        issues.

        RPM Updated:
        openssl-0.9.7a-33.24

        VM Shutdown: Yes
        Host Reboot: Yes

        ESX Server 3.5
        http://download3.vmware.com/software/vi/ESX350-200712405-SG.zip
        md5sum: 3d0fbea4320e8e424388d4bdc54e40c3
        http://kb.vmware.com/kb/1003208

        ESX Server 3.0.2
        http://download3.vmware.com/software/vi/ESX-1002969.tgz
        md5sum: 72fd28a9f9380158db149259fbdcaa3b
        http://kb.vmware.com/kb/1002969

        ESX Server 3.0.1
        http://download3.vmware.com/software/vi/ESX-1002962.tgz
        md5sum: a0727bdc2e1a6f00d5fe77430a6ee9d6
        http://kb.vmware.com/kb/1002962

        ESX Server 2.5.5 download Upgrade Patch 3
        ESX Server 2.5.4 download Upgrade Patch 14

4. Solution:

Please review the Patch notes for your product and version and verify
the md5sum of your downloaded file.

   ESX Server 3.5 Patches:
   http://www.vmware.com/download/vi/vi3_patches_35.html

   ESX Server 3.0.x Patches:
   http://www.vmware.com/download/vi/vi3_patches.html

   ESX Server 2.x Patches:
   http://www.vmware.com/download/esx/esx2_patches.html

   ESX Server 2.5.5 Upgrade Patch 3
   http://download3.vmware.com/software/esx/esx-2.5.5-65742-upgrade.tar.gz
   md5sum: 9068250fdd604e8787ef40995a4638f9
   http://www.vmware.com/support/esx25/doc/esx-255-200712-patch.html

   ESX Server 2.5.4 Upgrade Patch 14
   http://download3.vmware.com/software/esx/esx-2.5.4-65752-upgrade.tar.gz
   md5sum: 24990b9207f882ccc91545b6fc90273d
   http://www.vmware.com/support/esx25/doc/esx-254-200712-patch.html

5. References:

  CVE numbers
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5360
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5398
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4572
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5191
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5116
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135

- - -------------------------------------------------------------------
6. Contact:

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce@lists.vmware.com
  * bugtraq@securityfocus.com
  * full-disclosure@lists.grok.org.uk

E-mail:  security@vmware.com

Security web site
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc. All rights reserved.

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHlo15S2KysvBH1xkRCDmMAJ9j76yQqnZ8u8Vv3K21C4vAKSjNkQCeLH3J
N7+McCJEekqoGBqxej/peew=
=BXeQ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR5aYmyh9+71yA2DNAQLwXgP/ZQ0Owap52+GmLLSTT5wDUJncJ1IPlgJP
AsIbKh7iF8t5TIdv9U9mgwKfyvAuCCQnzqymunYIxlLhfHElt/l1u6RJB+BQqvZL
o/HwWPr6DgutXkSGrMfCr+RraWJfFJlKyCBRu8JwiBe/KciRjmILkjfUA53DJ37U
8IN29ruKPMQ=
=+DJS
-----END PGP SIGNATURE-----