Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0286 -- [Win][Linux]
Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and
VMware Fusion resolve critical security issues
28 April 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware Workstation
VMware Player
VMware ACE
VMware Server
VMware Fusion
Publisher: VMware
Operating System: Windows
Linux variants
Impact: Increased Privileges
Denial of Service
Create Arbitrary Files
Modify Arbitrary Files
Access: Remote/Unauthenticated
Existing Account
CVE Names: CVE-2008-1364 CVE-2008-1363 CVE-2008-1362
CVE-2008-1361 CVE-2008-1340 CVE-2008-0923
CVE-2007-5618 CVE-2007-5269 CVE-2006-4343
CVE-2006-4339 CVE-2006-2940 CVE-2006-2937
Ref: AA-2008.0068
Revision History: April 28 2008: VMWare added additional information
March 19 2008: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2008-0005.1
Synopsis: Updated VMware Workstation, VMware Player, VMware
Server, VMware ACE, and VMware Fusion resolve
critical security issues
Issue date: 2008-03-17
Updated on: 2008-04-24
CVE numbers: CVE-2008-0923 CVE-2008-0923 CVE-2008-1361
CVE-2008-1362 CVE-2007-5269 CVE-2006-2940
CVE-2006-2937 CVE-2006-4343 CVE-2006-4339
CVE-2007-5618 CVE-2008-1364 CVE-2008-1363
CVE-2008-1340
- - -------------------------------------------------------------------
1. Summary:
Several critical security vulnerabilities have been addressed
in the newest releases of VMware's hosted product line.
2. Relevant releases:
VMware Workstation 6.0.2 and earlier
VMware Workstation 5.5.4 and earlier
VMware Player 2.0.2 and earlier
VMware Player 1.0.4 and earlier
VMware ACE 2.0.2 and earlier
VMware ACE 1.0.2 and earlier
VMware Server 1.0.4 and earlier
VMware Fusion 1.1.1 and earlier
3. Problem description:
a. Host to guest shared folder (HGFS) traversal vulnerability
On Windows hosts, if you have configured a VMware host to guest
shared folder (HGFS), it is possible for a program running in the
guest to gain access to the host's file system and create or modify
executable files in sensitive locations.
NOTE: VMware Server is not affected because it doesn't use host to
guest shared folders. No versions of ESX Server, including
ESX Server 3i, are affected by this vulnerability. Because
ESX Server is based on a bare-metal hypervisor architecture
and not a hosted architecture, and it doesn't include any
shared folder abilities. Fusion and Linux based hosted
products are unaffected.
VMware would like to thank CORE Security Technologies for
working with us on this issue. This addresses advisory
CORE-2007-0930.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-0923 to this issue.
Hosted products
---------------
VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
b. Insecure named pipes
An internal security audit determined that a malicious Windows
user could attain and exploit LocalSystem privileges by causing
the authd process to connect to a named pipe that is opened and
controlled by the malicious user.
The same internal security audit determined that a malicious
Windows user could exploit an insecurely created named pipe
object to escalate privileges or create a denial of service
attack. In this situation, the malicious user could
successfully impersonate authd and attain privileges under
which Authd is executing.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-1361, CVE-2008-1362 to these
issues.
Windows Hosted products
---------------
VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
c. Updated libpng library to version 1.2.22 to address various security
vulnerabilities
Several flaws were discovered in the way libpng handled various PNG image
chunks. An attacker could create a carefully crafted PNG image file in
such a way that it could cause an application linked with libpng to crash
when the file was manipulated.
The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned
the name CVE-2007-5269 to this issue.
Hosted products
---------------
VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
NOTE: Fusion is not affected by this issue.
d. Updated OpenSSL library to address various security vulnerabilities
Updated OpenSSL fixes several security flaws were discovered
in previous versions of OpenSSL.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the following names to these issues: CVE-2006-2940,
CVE-2006-2937, CVE-2006-4343, CVE-2006-4339.
Hosted products
---------------
VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
NOTE: Fusion is not affected by this issue.
e. VIX API default setting changed to a more secure default value
Workstation 6.0.2 allowed anonymous console access to the guest by means
of the VIX API. This release, Workstation 6.0.3, disables this feature.
This means that the Eclipse Integrated Virtual Debugger and the Visual
Studio Integrated Virtual Debugger will now prompt for user account
credentials to access a guest.
Hosted products
---------------
VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
f. Windows 2000 based hosted products privilege escalation vulnerability
This release addresses a potential privilege escalation on
Windows 2000 hosted products. Certain services may be improperly
registered and present a security vulnerability to Windows 2000 machines.
VMware would like to thank Ray Hicken for reporting this issue and
David Maciejak for originally pointing out these types of
vulnerabilities.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the name CVE-2007-5618 to this issue.
Windows versions of Hosted products
---------------
VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
NOTE: Fusion and Linux based products are not affected by this issue.
g. DHCP denial of service vulnerability
A potential denial of service issue affects DHCP service running
on the host.
VMware would like to thank Martin O'Neal for reporting this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the name CVE-2008-1364 to this issue.
Hosted products
---------------
VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
VMware Fusion 1.1 upgrade to version 1.1.1 (Build# 72241)
NOTE: This issue doesn't affect the latest versions of VMware
Workstation 6, VMware Player 2, and ACE 2 products.
h. Local Privilege Escalation on Windows based platforms by
Hijacking VMware VMX configuration file
VMware uses a configuration file named "config.ini" which
is located in the application data directory of all users.
By manipulating this file, a user could gain elevated
privileges by hijacking the VMware VMX process.
VMware would like to thank Sun Bing for reporting the issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the name CVE-2008-1363 to this issue.
Windows based Hosted products
---------------
VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
i. Virtual Machine Communication Interface (VMCI) memory corruption
resulting in denial of service
VMCI was introduced in VMware Workstation 6.0, VMware Player 2.0,
and VMware ACE 2.0. It is an experimental, optional feature and
it may be possible to crash the host system by making specially
crafted calls to the VMCI interface. This may result in denial
of service via memory exhaustion and memory corruption.
VMware would like to thank Andrew Honig of the Department of
Defense for reporting this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the name CVE-2008-1340 to this issue.
Hosted products
---------------
VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
VMware Fusion 1.1.1 upgrade to version 1.1.2 (Build# 87978)
4. Solution:
Please review the Patch notes for your product and version and verify the
md5sum of your downloaded file.
VMware Workstation 6.0.3
------------------------
http://www.vmware.com/download/ws/
Release notes:
http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
Windows binary
md5sum: 323f054957066fae07735160b73b91e5
RPM Installation file for 32-bit Linux
md5sum: c44183ad11082f05593359efd220944e
tar Installation file for 32-bit Linux
md5sum: 57601f238106cb12c1dea303ad1b4820
RPM Installation file for 64-bit Linux
md5sum: e9ba644be4e39556724fa2901c5e94e9
tar Installation file for 64-bit Linux
md5sum: d8d423a76f99a94f598077d41685e9a9
VMware Workstation 5.5.5
------------------------
http://www.vmware.com/download/ws/ws5.html
Release notes:
http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html
Windows binary
md5sum: 9c2dd94db5eed93d7f64e8d6ba8d8bd3
Compressed Tar archive for 32-bit Linux
md5sum: 77401c0842a151f0b2db0b4fcb0d16eb
Linux RPM version for 32-bit Linux
md5sum: c222b6db934deb9c1bb79b16b25a3202
VMware Server 1.0.5
-------------------
http://www.vmware.com/download/server/
Release notes:
http://www.vmware.com/support/server/doc/releasenotes_server.html
VMware Server for Windows 32-bit and 64-bit
md5sum: 3c4a57310c55e17bf8e4a1059d5b36cc
VMware Server Windows client package
md5sum: cb3dd2439203dc510f4d95f06ba59d21
VMware Server for Linux
md5sum: 161dcbe5af9bbd9834a86bf7c599903e
VMware Server for Linux rpm
md5sum: fc3b81ed18b53eda943a992971e9f84a
Management Interface
md5sum: dd10d25895d9994bd27ca896152f48ef
VMware Server Linux client package
md5sum: aae18f1f7b8811b5499e3a358754d4f8
VMware ACE 2.0.3 and 1.0.5
--------------------------
http://www.vmware.com/download/ace/
Windows Release notes:
http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html
VMware Fusion 1.1.1
-------------------
http://www.vmware.com/download/fusion/
Release notes:
http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html
md5sum: 38e116ec26b30e7a6ac47c249ef650d0
VMware Fusion 1.1.2
-------------------
http://www.vmware.com/download/fusion/
Release notes:
http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html
md5sum: D15A3DFD3E7B11FC37AC684586086D2B
VMware Player 2.0.3 and 1.0.6
----------------------
http://www.vmware.com/download/player/
Release notes Player 1.x:
http://www.vmware.com/support/player/doc/releasenotes_player.html
Release notes Player 2.0
http://www.vmware.com/support/player2/doc/releasenotes_player2.html
2.0.3 Windows binary
md5sum: 0c5009d3b569687ae139e13d24c868d3
VMware Player 2.0.3 for Linux (.rpm)
md5sum: 53502b2112a863356dcd13dd0d8dd8f2
VMware Player 2.0.3 for Linux (.tar)
md5sum: 2305fcff49bef6e4ad83742412eac978
VMware Player 2.0.3 - 64-bit (.rpm)
md5sum: cf945b571c4d96146ede010286fdfca5
VMware Player 2.0.3 - 64-bit (.tar)
md5sum: f99c5b293eb87c5f918ad24111565b9f
1.0.6 Windows binary
md5sum: 895081406c4de5361a1700ec0473e49c
Player 1.0.6 for Linux (.rpm)
md5sum: 8adb23799dd2014be0b6d77243c76942
Player 1.0.6 for Linux (.tar)
md5sum: c358f8e1387fb60863077d6f8a9f7b3f
5. References:
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0923
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1361
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1362
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5618
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1363
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1340
6. Change log:
2008-03-17 VMSA-2008-0005 Initial release
2008-04-24 VMSA-2008-0005.1 Added information for
Fusion 1.1.2 released on 04/23/08
for item i.
- - -------------------------------------------------------------------
7. Contact:
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce@lists.vmware.com
* bugtraq@securityfocus.com
* full-disclosure@lists.grok.org.uk
E-mail: security@vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2008 VMware Inc. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFIERzFS2KysvBH1xkRCH44AJ0e7X4nrMgZNOCyfC11GDUx4XOCFwCffMbQ
icsAxBg10sRULIYif7sKL38=
=4GYA
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSBUj2Sh9+71yA2DNAQJ53wQAnbayLySmY9i8TrK/18AUCz3jj5vdxomb
ZTE7StkTduWbyJFo79wipdJJEE2T1TV3TjdpyZxbSqhdaaFAJ7+Nx0bzL/jt/VI7
2P3/Pe9UJECvUdevTqOv78RQgiic3mykzaXTwM6X6fLiX/X1ZNsyr5vCVEijmxtD
qPkBjjhQlk4=
=Xjjw
-----END PGP SIGNATURE-----