Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0563 -- [Win][Linux]
Updates to VMware Workstation, VMware Player, VMware ACE,
VMware Fusion resolve critical security issues
2 June 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware Workstation
VMware Player
VMware ACE
VMware Fusion
Publisher: VMware
Operating System: Windows
Linux variants
Impact: Execute Arbitrary Code/Commands
Access: Existing Account
CVE Names: CVE-2008-2099 CVE-2008-2098
Comment: Please note there is an end of life statement in this advisory in
regards to VMware Workstation 5.x, VMware Player 1.x, and VMware
ACE 1.x
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2008-0008
Synopsis: Updates to VMware Workstation, VMware Player,
VMware ACE, VMware Fusion resolve critical
security issues
Issue date: 2008-05-30
Updated on: 2008-05-30 (initial release of advisory)
CVE numbers: CVE-2008-2098 CVE-2008-2099
- - -------------------------------------------------------------------
1. Summary:
Several critical security vulnerabilities have been addressed
in the newest releases of VMware's hosted product line.
2. Relevant releases:
VMware Workstation 6.0.3 and earlier,
VMware Player 2.0.3 and earlier,
VMware ACE 2.0.3 and earlier,
VMware Fusion 1.1.1 and earlier
NOTES: Users of VMware hosted products VMware Workstation 5.x,
VMware Player 1.x, and VMware ACE 1.x should note that
although they are not vulnerable to these issue, they
will reach their end of general support on 2008-11-09.
Customers should plan to upgrade to the latest version
of their respective products.
3. Problem description:
a. VMware HGFS File System Heap Overflow
The VMware Host Guest File System (HGFS) shared folders feature allows
users to transfer data between a guest operating system and the
non-virtualized host operating system that contains it.
A heap buffer overflow condition is present in VMware HGFS. Exploitation
of this flaw might allow an unprivileged guest process to execute code
in the context of the vmx process on the host.
In order to exploit this vulnerability, the VMware system must have
at least one folder shared. Two things must happen for a folder to
be shared. 1) Shared folders must be enabled, and 2) a folder must
be selected from the host system to be shared. No folders are shared
by default in any version of our products, which means this
vulnerability is not exploitable by default. Workstation 6.x,
Player 2.x, and ACE 2.x have shared folders disabled by default.
VMware Server, ESX and ESXi do not provide the shared folders feature.
Because there is no back-end for the HGFS protocol on the virtualization
host, these products are architecturally immune to this issue.
This issue might not be exploitable on host operating systems which
have implemented heap protection.
VMware would like to thank Andrew Honig of the Department of
Defense for reporting this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-2098 to this issue.
VMware Product Running Replace with/
Product Version on Apply Patch
============ ======== ======= =================
Workstation 6.x Windows 6.0.4 build 93057
Workstation 6.x Linux 6.0.4 build 93057
Workstation 5.x Windows not affected
Workstation 5.x Linux not affected
Player 2.x Windows 2.0.4 build 93057
Player 2.x Linux 2.0.4 build 93057
Player 1.x Windows not affected
Player 1.x Linux not affected
ACE 2.x Windows 2.0.2 build 93057
ACE 1.x Windows not affected
Server 1.x Windows not affected
Server 1.x Linux not affected
Fusion 1.x Mac OS/X 1.1.2 build 87978 or later
b. Windows based VMCI arbitrary code execution vulnerability
VMCI was introduced in VMware Workstation 6.0, VMware Player 2.0,
and VMware ACE 2.0. It is an experimental, optional feature
that allows virtual machines to communicate with one another.
With VMCI enabled a guest may execute arbitrary code in the context
of the vmx process on the host. This is a compiler dependent
vulnerability and only affects systems running on windows hosts.
VMware would like to thank Andrew Honig of the Department of
Defense for reporting this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-2099 to this issues.
VMware Product Running Replace with/
Product Version on Apply patch
============ ======== ======= =================
Workstation 6.x Windows 6.0.4 build 93057
Workstation 6.x Linux not affected
Workstation 5.x Windows not affected
Workstation 5.x Linux not affected
Player 2.x Windows 2.0.4 build 93057
Player 2.x Linux not affected
Player 1.x Windows not affected
Player 1.x Linux not affected
ACE 2.x Windows 2.0.2 build 93057
ACE 1.x Windows not affected
Server 1.x Windows not affected
Server 1.x Linux not affected
Fusion 1.x Mac OS/X not affected
4. Solution:
Please review the release notes for your product and version and verify the
md5sum of your downloaded file.
VMware Workstation 6.0.4
------------------------
http://www.vmware.com/download/ws/
Release notes:
http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
Windows binary
md5sum: f50a05831e94c19d98f363c752fca5f9
RPM Installation file for 32-bit Linux
md5sum: e7793b14b995d3b505f093c84e849421
tar Installation file for 32-bit Linux
md5sum: a0a8e1d8188f4be03357872a57a767ab
RPM Installation file for 64-bit Linux
md5sum: 960d753038a268b8f101f4b853c0257e
tar Installation file for 64-bit Linux
md5sum: 4697ec8a9d6c1152d785f3b77db9d539
VMware Player 2.0.4
-------------------
http://www.vmware.com/download/player/
Release notes Player 1.x:
http://www.vmware.com/support/player/doc/releasenotes_player.html
Release notes Player 2.0
http://www.vmware.com/support/player2/doc/releasenotes_player2.html
2.0.4 Windows binary
md5sum: a117664a8bfa7336b846117e5fc048dd
VMware Player 2.0.4 for Linux (.rpm)
md5sum: de6ab6364a0966b68eadda2003561cd2
VMware Player 2.0.4 for Linux (.tar)
md5sum: 9e1c2bfda6b22a3fc195a86aec11903a
VMware Player 2.0.4 - 64-bit (.rpm)
md5sum: 997e5ceffe72f9ce9146071144dacafa
VMware Player 2.0.4 - 64-bit (.tar)
md5sum: 18eb4ee49dd7e33ec155ef69d7d259ef
VMware ACE
----------
http://www.vmware.com/download/ace/
Release notes 2.0:
http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html
VMware-workstation-6.0.4-93057.exe
md5sum: f50a05831e94c19d98f363c752fca5f9
VMware-ACE-Management-Server-Appliance-2.0.4-93057.zip
md5sum: d2ae2246f3d87268cf84c1421d94e86c
VMware-ACE-Management-Server-2.0.4-93057.exe
md5sum: 41b31b3392d5da2cef77a7bb28654dbf
VMware-ACE-Management-Server-2.0.4-93057.i386-rhel4.rpm
md5sum: 9920be4c33773df53a1728b41af4b109
VMware-ACE-Management-Server-2.0.4-93057.i386-sles9.rpm
md5sum: 4ec4c37203db863e8844460b5e80920b
VMware Fusion 1.1.3
--------------
http://www.vmware.com/download/fusion/
Release notes:
http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html
md5sum: D15A3DFD3E7B11FC37AC684586086D
5. References:
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2099
6. Change log:
2008-05-30 VMSA-2008-0008 Initial release
- - -------------------------------------------------------------------
7. Contact:
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce@lists.vmware.com
* bugtraq@securityfocus.com
* full-disclosure@lists.grok.org.uk
E-mail: security@vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2008 VMware Inc. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFIQFCVS2KysvBH1xkRCAnIAJ0SuIABL0Y0t8Wo2gcBRlhp3w82UACdH8f/
IM84mlV6oiPxg+XGGUVRyeI=
=/czP
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSENBRCh9+71yA2DNAQJHUQP+NXMyrQcJYLMi/p2FSGzBEFNhs18e20PG
m+v8NT1RewnOsNM7B8G9+emm8NkyusEbR+aJGmbiVXtMgULSgM7qjCKQaQzazYuP
qEiaNV7tUVm2NXg1bdU5lsvaHN0XXOzrSB/ApxNLoZE4DwrgYxQxJboIjVqBdRy9
YaY7kZaIG/o=
=Ee6P
-----END PGP SIGNATURE-----