Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0307 -- [VMware ESX] ESX: updates for openssl, bind and vim 8 January 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ESX Publisher: VMware Operating System: VMWare ESX Server Impact: Execute Arbitrary Code/Commands Increased Privileges Provide Misleading Information CVE Names: CVE-2009-0025 CVE-2008-5077 CVE-2008-4101 CVE-2008-3432 CVE-2008-2712 CVE-2007-2953 Original Bulletin: http://www.vmware.com/security/advisories/VMSA-2009-0004.html Revision History: January 8 2010: VMWare updated their advisory adding updated information for openssl after the release of patch for ESX400-200912402-SG for ESX 4.0 on 2010-01-06. June 2 2009: Added updated information for openssl, bind, and vim. April 30 2009: Patches released for VMware ESX 3.5 April 1 2009: Initial Release - - --------------------------BEGIN INCLUDED TEXT-------------------- - - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2009-0004.3 Synopsis: ESX Service Console updates for openssl, bind, and vim Issue date: 2009-03-31 Updated on: 2010-01-06 CVE numbers: CVE-2008-5077 CVE-2009-0025 CVE-2008-4101 CVE-2008-3432 CVE-2008-2712 CVE-2007-2953 - - - ------------------------------------------------------------------------ 1. Summary ESX patches for OpenSSL, vim and bind resolve several security issues. 2. Relevant releases VMware ESX 4.0 without patch ESX400-200912402-SG VMware ESX 3.5 without patches ESX350-200904408-SG, ESX350-200904407-SG, ESX350-200904406-SG VMware ESX 3.0.3 without patches ESX303-200903406-SG, ESX303-200903405-SG, ESX303-200903403-SG VMware ESX 3.0.2 without patches ESX-1008409, ESX-1008408, ESX-1008406 VMware ESX 2.5.5 without update patch 13 Extended support for ESX 3.0.2 Update 1 ends on 2009-08-08. Users should plan to upgrade to ESX 3.0.3 and preferably to the newest release available. 3. Problem Description a. Updated OpenSSL package for the Service Console fixes a security issue. OpenSSL 0.9.7a-33.24 and earlier does not properly check the return value from the EVP_VerifyFinal function, which could allow a remote attacker to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-5077 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi not affected ESX 4.0 ESX ESX400-200912402-SG ESX 3.5 ESX ESX350-200904408-SG ESX 3.0.3 ESX ESX303-200903406-SG ESX 3.0.2 ESX ESX-1008409 ESX 2.5.5 ESX Upgrade Patch 13 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. b. Update bind package for the Service Console fixes a security issue. A flaw was discovered in the way Berkeley Internet Name Domain (BIND) checked the return value of the OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, allowing spoofing attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-0025 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi not affected ESX 4.0 ESX not affected ESX 3.5 ESX ESX350-200904407-SG ESX 3.0.3 ESX ESX303-200903405-SG ESX 3.0.2 ESX ESX-1008408 ESX 2.5.5 ESX Upgrade Patch 13 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. c. Updated vim package for the Service Console addresses several security issues. Several input flaws were found in Visual editor IMproved's (Vim) keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-4101 to this issue. A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially crafted file or directory name, when opened by Vim causes the application to stop responding or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-3432 to this issue. Several input flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2712 to this issue. A format string flaw was discovered in Vim's help tag processor. If a user was tricked into executing the "helptags" command on malicious data, arbitrary code could be executed with the permissions of the user running VIM. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-2953 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi not affected ESX 4.0 ESX not affected ESX 3.5 ESX ESX350-200904406-SG ESX 3.0.3 ESX ESX303-200903403-SG ESX 3.0.2 ESX ESX-1008406 ESX 2.5.5 ESX Upgrade Patch 13 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. ESX --- ESX 4.0 ESX400-200912402-SG (openssl) https://hostupdate.vmware.com/software/VUM/OFFLINE/release-181-20091231-153046/ESX400-200912001.zip md5sum: 78c6cf139b7941dc736c9d3a41deae77 sha1sum: 36df3a675fbd3c8c8830f00637e37ee716bdac59 http://kb.vmware.com/kb/1016292 To install an individual bulletin use esxupdate with the -b option. esxupdate --bundle=ESX400-200912001.zip -b ESX400-200912402-SG update ESX 3.5 ESX350-200904408-SG (openssl) http://download3.vmware.com/software/vi/ESX350-200904408-SG.zip md5sum: 3af12e08ec0e5f84b1b2646cb1ad0225 http://kb.vmware.com/kb/1010133 ESX 3.5 ESX350-200904407-SG (bind) http://download3.vmware.com/software/vi/ESX350-200904407-SG.zip md5sum: a1b9dbb410e76e2fd410d6766b1df210 http://kb.vmware.com/kb/1010132 ESX 3.5 ESX350-200904406-SG (vim) http://download3.vmware.com/software/vi/ESX350-200904406-SG.zip md5sum: a416ecc6e97fa484873026b8110672e7 http://kb.vmware.com/kb/1010131 ESX 3.0.3 ESX303-200903406-SG (openssl) http://download3.vmware.com/software/vi/ESX303-200903406-SG.zip md5sum: 45a2d32f9267deb5e743366c38652c92 http://kb.vmware.com/kb/1008416 ESX 3.0.3 ESX303-200903405-SG (bind) http://download3.vmware.com/software/vi/ESX303-200903405-SG.zip md5sum: 34d00fd9cca7f3e08c0857b4cc254710 http://kb.vmware.com/kb/1008415 ESX 3.0.3 ESX303-200903403-SG (vim) http://download3.vmware.com/software/vi/ESX303-200903403-SG.zip md5sum: 9790c9512aef18beaf0d1c7d405bed1a http://kb.vmware.com/kb/1008413 ESX 3.0.2 ESX-1008409 (openssl) http://download3.vmware.com/software/vi/ESX-1008409.tgz md5sum: cb25fd47bc0713b968d8778c033bc846 http://kb.vmware.com/kb/1008409 ESX 3.0.2 ESX-1008408 (bind) http://download3.vmware.com/software/vi/ESX-1008408.tgz md5sum: b6bd9193892a9c89b9b7a1e0456d2a9a http://kb.vmware.com/kb/1008408 ESX 3.0.2 ESX-1008406 (vim) http://download3.vmware.com/software/vi/ESX-1008406.tgz md5sum: f069daa58190b39e431cedbd26ce25ef http://kb.vmware.com/kb/1008406 ESX 3.0.3 ESX303-200903405-SG (openssl) http://download3.vmware.com/software/vi/ESX303-200903406-SG.zip md5sum: 45a2d32f9267deb5e743366c38652c92 http://kb.vmware.com/kb/1008416 ESX 3.0.3 ESX303-200903405-SG (bind) http://download3.vmware.com/software/vi/ESX303-200903405-SG.zip md5sum: 34d00fd9cca7f3e08c0857b4cc254710 http://kb.vmware.com/kb/1008415 ESX 3.0.3 ESX303-200903403-SG (vim) http://download3.vmware.com/software/vi/ESX303-200903403-SG.zip md5sum: 9790c9512aef18beaf0d1c7d405bed1a http://kb.vmware.com/kb/1008413 ESX 2.5.5 Upgrade Patch 13 http://www.vmware.com/support/esx25/doc/esx-255-200905-patch.html http://download3.vmware.com/software/esx/esx-2.5.5-161312-upgrade.tar.gz md5sum: a477b7819f5a0d4cbd38b98432a48c88 sha1sum: cceb38898108e48cc5b7e3298a03a369aa783699 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0025 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3432 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2953 - - - ------------------------------------------------------------------------ 6. Change log 2009-03-31 VMSA-2009-0004 Initial security advisory after release of patches for ESX 3.0.2 and 3.0.3 on 2009-03-31. 2009-04-29 VMSA-2009-0004.1 Added updated information for openssl, bind, and vim after the release of patches for ESX 3.5 on 2009-04-29. 2009-06-01 VMSA-2009-0004.2 Added updated information for openssl, bind, and vim after the release of patch for ESX 2.5.5 on 2009-05-28. 2010-01-06 VMSA-2009-0004.3 Added updated information for openssl after the release of patch for ESX400-200912402-SG for ESX 4.0 on 2010-01-06. - - - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2009-2010 VMware Inc. All rights reserved. - - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFLRYtAS2KysvBH1xkRAgMmAJ9lE3ggz32LZhtIz83FF+e/QIsDfwCcCn4c 5fa3W5qLkZxcvMQw9LGBgwU= =r+vO - - -----END PGP SIGNATURE----- - - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://www.auscert.org.au/1967 iD8DBQFLRn6UNVH5XJJInbgRAqavAJ0QWXmFItzmDmHb3De4xqZ/PF+JeACfZUyh kUyHh60cNLk1RCc+pqhp2l8= =Q2jh -----END PGP SIGNATURE-----