-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                 ESB-2008.1029 -- [Win][VMware ESX][Linux]
        VMware Hosted products and patches for ESX and ESXi resolve
                            two security issues
                              7 November 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              VMware Workstation 6.0.5 and earlier
                      VMware Workstation 5.5.8 and earlier
                      VMware Player 2.0.5 and earlier
                      VMware Player 1.0.8 and earlier
                      VMware ACE 2.0.5 and earlier
                      VMware ACE 1.0.7 and earlier
                      VMware Server 1.0.7 and earlier
                      VMware ESXi 3.5 without patch ESXe350-200810401-O-UG
                      VMware ESX 3.5 without patch ESX350-200810201-UG
                      VMware ESX 3.0.3 without patch ESX303-200810501-BG
                      VMware ESX 3.0.2 without patch ESX-1006680
                      VMware ESX 2.5.5 without upgrade patch 10 or later
                      VMware ESX 2.5.4 without upgrade patch 21
Publisher:            VMware
Operating System:     VMWare ESX Server
                      Windows
                      Linux variants
Impact:               Increased Privileges
Access:               Existing Account
CVE Names:            CVE-2008-4915 CVE-2008-4281

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2008-0018
Synopsis:          VMware Hosted products and patches for ESX and ESXi
                   resolve two security issues
Issue date:        2008-11-06
Updated on:        2008-11-06 (initial release of advisory)
CVE numbers:       CVE-2008-4915 CVE-2008-4281
- - ------------------------------------------------------------------------

1. Summary

   VMware Hosted products and patches for ESX and ESXi resolve multiple
   security issues. A flaw in the CPU hardware emulation may allow for a
   privilege escalation on virtual machine guest operating systems. In
   addition a directory traversal issue is resolved.

2. Relevant releases

   VMware Workstation 6.0.5 and earlier,
   VMware Workstation 5.5.8 and earlier,
   VMware Player 2.0.5 and earlier,
   VMware Player 1.0.8 and earlier,
   VMware ACE 2.0.5 and earlier,
   VMware ACE 1.0.7 and earlier,
   VMware Server 1.0.7 and earlier.

   VMware ESXi 3.5 without patch ESXe350-200810401-O-UG

   VMware ESX 3.5 without patch ESX350-200810201-UG

   VMware ESX 3.0.3 without patch ESX303-200810501-BG
   VMware ESX 3.0.2 without patch ESX-1006680
   VMware ESX 2.5.5 without upgrade patch 10 or later
   VMware ESX 2.5.4 without upgrade patch 21

   NOTE: Hosted products VMware Workstation 5.x, VMware Player 1.x,
         and VMware ACE 1.x will reach end of general support
         2008-11-09. Customers should plan to upgrade to the latest
         version of their respective products.

         Extended support (Security and Bug fixes) for ESX 3.0.2 ended
         on 2008-10-29 and Extended support for ESX 3.0.2 Update 1
         ends on 2009-08-08.  Users should plan to upgrade to ESX 3.0.3
         and preferably to the newest release available.

3. Problem Description

 a. A privilege escalation on 32-bit and 64-bit guest operating systems

    VMware products emulate hardware functions and create the
    possibility to run guest operating systems.

    A flaw in the CPU hardware emulation might allow the virtual CPU to
    incorrectly handle the Trap flag. Exploitation of this flaw might
    lead to a privilege escalation on guest operating systems.  An
    attacker needs a user account on the guest operating system and
    have the ability to run applications.

    VMware would like to thank Derek Soeder for discovering
    this issue and working with us on its remediation.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2008-4915 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Workstation    6.5.x     any      not affected
    Workstation    6.0.x     any      6.5.0 build 118166 or later
    Workstation    5.x       any      5.5.9 build 126128 or later

    Player         2.5.x     any      not affected
    Player         2.0.x     any      2.5.0 build 118166 or later
    Player         1.x       any      1.0.9 build 126128 or later

    ACE            2.5.x     Windows  not affected
    ACE            2.0.x     Windows  2.5.0 build 118166 or later
    ACE            1.x       Windows  1.0.8 build 125922 or later

    Server         2.x       any      not affected
    Server         1.x       any      1.0.8 build 126538 or later

    Fusion         2.x       Mac OS/X not affected
    Fusion         1.x       Mac OS/X not affected

    ESXi           3.5       ESXi     ESXe350-200810401-O-UG

    ESX            3.5       ESX      ESX350-200810201-UG
    ESX            3.0.3     ESX      ESX303-200810501-BG
    ESX            3.0.2     ESX      ESX-1006680
    ESX            2.5.5     ESX      ESX 2.5.5 upgrade patch 10 or later
    ESX            2.5.4     ESX      ESX 2.5.4 upgrade patch 21

 b.  Directory traversal vulnerability
 
    VirtualCenter allows administrators to have fine-grained privileges.
    A directory traversal vulnerability might allow administrators to
    increase these privileges. In order to leverage this flaw, the
    administrator would need to have the Datastore.FileManagement
    privilege.

    VMware would like to thank Michel Toussaint for reporting this issue
    to us.
 
    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2008-4281 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           3.5       ESXi     ESXe350-200810401-O-UG

    ESX            3.5       ESX      ESX350-200810201-UG
    ESX            3.0.3     ESX      not affected
    ESX            3.0.2     ESX      not affected
    ESX            2.5.5     ESX      not affected
    ESX            2.5.4     ESX      not affected

    * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   VMware Workstation 5.5.9
   ------------------------
   http://www.vmware.com/download/ws/ws5.html
   Release notes:
   http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html

   Windows binary:
   md5sum: 509c7b323a8ac42c0a92b0a1446bb0f8

   Compressed Tar archive for 32-bit Linux
   md5sum: 9d189e72f8111e44b27f1ee92edf265e

   Linux RPM version for 32-bit Linux
   md5sum: 0957c5258d033d0107517df64bfea240


   VMware Player 1.0.9
   -----------------------------
   http://www.vmware.com/download/player/
   Release notes Player 1.x:
   http://www.vmware.com/support/player/doc/releasenotes_player.html

   Windows binary
   md5sum: e2c8dd7b27df7d348f14f69de017b93f

   Player 1.0.9 for Linux (.rpm)
   md5sum: 471c3881fa60b058b1dac1d3c9c32c85

   Player 1.0.9 for Linux (.tar)
   md5sum: bef507811698e7333f5e8cb672530dbf


   VMware ACE 1.0.8
   ----------------
   http://www.vmware.com/download/ace/
   Release notes:
   http://www.vmware.com/support/ace/doc/releasenotes_ace.html

   Windows binary
   md5sum: 920a08c2fcdeaedcb3258183817419a0

   ACE 1.0.8 for Linux (.rpm)
   md5sum: 450254b73fa6802713136bf2c04e5b40

   ACE 1.0.8 for Linux (.tar)
   md5sum: 5efdaccf8217b8d7875d3f35cd6159e0


   VMware Server 1.0.8
   -------------------
   http://www.vmware.com/download/server/
   Release notes:
   http://www.vmware.com/support/server/doc/releasenotes_server.html

   VMware Server for Windows 32-bit and 64-bit
   md5sum: 4ba41e5fa192f786121a7395ebaa8d7c

   VMware Server Windows client package
   md5sum: f25746e275ca00f28d44ad372fc92536

   VMware Server for Linux
   md5sum: a476d3953ab1ff8457735e692fa5edf9

   VMware Server for Linux rpm
   md5sum: af6890506618fa82928fbfba8a5f97e1

   Management Interface
   md5sum: 5982b84a39479cabce63e12ab664d369

   VMware Server Linux client package
   md5sum: 605d7db48f63211cc3f5ddb2b3f915a6


   ESXi
   ----
   ESXi 3.5 patch ESXe350-200810401-O-UG
   http://download3.vmware.com/software/vi/ESXe350-200810401-O-UG.zip
   md5sum: 9b83c54a005572bebb86652e3efd732a
   http://kb.vmware.com/kb/1007056

   NOTE: The three ESXi patches for Firmware "I", VMware Tools "T," and
         the VI Client "C" are contained in a single offline "O"
         download file.

   ESX
   ---
   ESX Server 3.5 update 3 CD image Refresh
   md5sum: e9bdaad2d37872820a4cad8e8dbde536
   http://www.vmware.com/download/download.do?downloadGroup=ESX350U3

   ESX Server 3.5 upgrade package from ESX Server 2.x to ESX Server 3.5
Update 3 Refresh
   md5sum:2da08fed15bd4b1ed5b19433e837591c
   http://www.vmware.com/download/download.do?downloadGroup=ESX350U3

   ESX Server 3.5 upgrade package from ESX Server 3.0.x to ESX Server 3.5
Update 3 Refresh
   md5sum:d631aa8418d99fce4280fc3905ac4c37
   http://www.vmware.com/download/download.do?downloadGroup=ESX350U3

   ESX Server 3.5 upgrade package from ESX Server 3.5 to ESX Server 3.5
Update 3 Refresh
   md5sum:4dea5d943d0c0469c397b6520dfeb0fb
   http://www.vmware.com/download/download.do?downloadGroup=ESX350U3

   ESX 3.5 patch ESX350-200810201-UG (vCPU/directory traversal)
   http://download3.vmware.com/software/vi/ESX350-200810201-UG.zip
   md5sum: 6f26f985d9fea520ebdda7c65b60486e
   http://kb.vmware.com/kb/1007041

   ESX 3.0.3 patch ESX303-200810501-BG (vCPU)
   http://download3.vmware.com/software/vi/ESX303-200810501-BG.zip
   md5sum: da72f475c5ac038379d712d36307e33d
   http://kb.vmware.com/kb/1006969

   ESX 3.0.2 patch ESX-1006680 (vCPU)
   http://download3.vmware.com/software/vi/ESX-1006680.tgz
   md5sum: 8186a2e77bc7c0e4cd5b214d0a5d29c0
   http://kb.vmware.com/kb/1006680

   VMware ESX 2.5.5 Upgrade Patch 10
   http://download3.vmware.com/software/esx/esx-2.5.5-119702-upgrade.tar.gz
   md5sum: 2ee87cdd70b1ba84751e24c0bd8b4621
   http://vmware.com/support/esx25/doc/esx-255-200810-patch.html

   VMware ESX 2.5.4 Upgrade Patch 21
   http://download3.vmware.com/software/esx/esx-2.5.4-119703-upgrade.tar.gz
   md5sum: d791be525c604c852a03dd7df0eabf35
   http://vmware.com/support/esx25/doc/esx-254-200810-patch.html

5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4915
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4281

- - ------------------------------------------------------------------------
6. Change log

2008-11-06  VMSA-2008-0018
Initial security advisory after release of VMware Workstation, VMware
Player, VMware ACE, VMware Server and ESXi and ESX 3.5 Update 3
on 2008-11-06.

- - -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc.  All rights reserved.

- -----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFJE9DtS2KysvBH1xkRAtsaAJ0S0pJg2Ncu0tW7gNdJigNfG3B6dQCcCjuE
l8J3igGrZI+kQzt6qEGjwq8=
=g/L/
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSRPekCh9+71yA2DNAQILeAP+OJK58zMZ8XAJmas9j/o4GsdSwkGQg2l8
3S0qUJ+cwGI7SuA41j2dwAOXCC7Db7qTTr11u54n9DodSOKS3yImOM2cyvrF0v4h
OLDecPWBt6fBfAvSHny5NbZxMo7BPe7Ane763b171YzDaOI9OpYwgF45OgfxEuh/
ja85HNtivfo=
=42H1
-----END PGP SIGNATURE-----