-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                       ESB-2009.0307 -- [VMware ESX]
                  ESX: updates for openssl, bind and vim
                              8 January 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              ESX
Publisher:            VMware
Operating System:     VMWare ESX Server
Impact:               Execute Arbitrary Code/Commands
                      Increased Privileges
                      Provide Misleading Information
CVE Names:            CVE-2009-0025 CVE-2008-5077 CVE-2008-4101
                      CVE-2008-3432 CVE-2008-2712 CVE-2007-2953

Original Bulletin:    http://www.vmware.com/security/advisories/VMSA-2009-0004.html

Revision History:  January 8 2010: VMWare updated their advisory adding 
                                   updated information for openssl after the
                                   release of patch for ESX400-200912402-SG 
                                   for ESX 4.0 on 2010-01-06.
                   June    2 2009: Added updated information for openssl, 
                                   bind, and vim.
                   April  30 2009: Patches released for VMware ESX 3.5
                   April   1 2009: Initial Release

- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2009-0004.3
Synopsis:          ESX Service Console updates for openssl, bind, and
                   vim
Issue date:        2009-03-31
Updated on:        2010-01-06
CVE numbers:       CVE-2008-5077 CVE-2009-0025 CVE-2008-4101
                   CVE-2008-3432 CVE-2008-2712 CVE-2007-2953
- - - ------------------------------------------------------------------------

1. Summary

   ESX patches for OpenSSL, vim and bind resolve several security
   issues.

2. Relevant releases

   VMware ESX 4.0 without patch ESX400-200912402-SG

   VMware ESX 3.5 without patches ESX350-200904408-SG,
                                  ESX350-200904407-SG,
                                  ESX350-200904406-SG

   VMware ESX 3.0.3 without patches ESX303-200903406-SG,
                                    ESX303-200903405-SG,
                                    ESX303-200903403-SG

   VMware ESX 3.0.2 without patches ESX-1008409, ESX-1008408,
                                    ESX-1008406

   VMware ESX 2.5.5 without update patch 13

   Extended support for ESX 3.0.2 Update 1 ends on 2009-08-08.
   Users should plan to upgrade to ESX 3.0.3 and preferably to
   the newest release available.

3. Problem Description

 a. Updated OpenSSL package for the Service Console fixes a
    security issue.

    OpenSSL 0.9.7a-33.24 and earlier does not properly check the return
    value from the EVP_VerifyFinal function, which could allow a remote
    attacker to bypass validation of the certificate chain via a
    malformed SSL/TLS signature for DSA and ECDSA keys.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2008-5077 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           3.5       ESXi     not affected

    ESX            4.0       ESX      ESX400-200912402-SG

    ESX            3.5       ESX      ESX350-200904408-SG
    ESX            3.0.3     ESX      ESX303-200903406-SG
    ESX            3.0.2     ESX      ESX-1008409
    ESX            2.5.5     ESX      Upgrade Patch 13

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 b. Update bind package for the Service Console fixes a security issue.

    A flaw was discovered in the way Berkeley Internet Name Domain
    (BIND) checked the return value of the OpenSSL DSA_do_verify
    function. On systems using DNSSEC, a malicious zone could present
    a malformed DSA certificate and bypass proper certificate
    validation, allowing spoofing attacks.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2009-0025 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           3.5       ESXi     not affected

    ESX            4.0       ESX      not affected

    ESX            3.5       ESX      ESX350-200904407-SG
    ESX            3.0.3     ESX      ESX303-200903405-SG
    ESX            3.0.2     ESX      ESX-1008408
    ESX            2.5.5     ESX      Upgrade Patch 13

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 c. Updated vim package for the Service Console addresses several
    security issues.

    Several input flaws were found in Visual editor IMproved's (Vim)
    keyword and tag handling. If Vim looked up a document's maliciously
    crafted tag or keyword, it was possible to execute arbitrary code as
    the user running Vim.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2008-4101 to this issue.

    A heap-based overflow flaw was discovered in Vim's expansion of file
    name patterns with shell wildcards. An attacker could create a
    specially crafted file or directory name, when opened by Vim causes
    the application to stop responding or execute arbitrary code.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2008-3432 to this issue.

    Several input flaws were found in various Vim system functions. If a
    user opened a specially crafted file, it was possible to execute
    arbitrary code as the user running Vim.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2008-2712 to this issue.

    A format string flaw was discovered in Vim's help tag processor. If
    a user was tricked into executing the "helptags" command on
    malicious data, arbitrary code could be executed with the
    permissions of the user running VIM.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2007-2953 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           3.5       ESXi     not affected

    ESX            4.0       ESX      not affected

    ESX            3.5       ESX      ESX350-200904406-SG
    ESX            3.0.3     ESX      ESX303-200903403-SG
    ESX            3.0.2     ESX      ESX-1008406
    ESX            2.5.5     ESX      Upgrade Patch 13

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   ESX
   ---
   ESX 4.0 ESX400-200912402-SG (openssl)

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-181-20091231-153046/ESX400-200912001.zip
   md5sum: 78c6cf139b7941dc736c9d3a41deae77
   sha1sum: 36df3a675fbd3c8c8830f00637e37ee716bdac59
   http://kb.vmware.com/kb/1016292

   To install an individual bulletin use esxupdate with the -b option.
   esxupdate --bundle=ESX400-200912001.zip -b ESX400-200912402-SG
   update

   ESX 3.5 ESX350-200904408-SG (openssl)
   http://download3.vmware.com/software/vi/ESX350-200904408-SG.zip
   md5sum: 3af12e08ec0e5f84b1b2646cb1ad0225
   http://kb.vmware.com/kb/1010133

   ESX 3.5 ESX350-200904407-SG (bind)
   http://download3.vmware.com/software/vi/ESX350-200904407-SG.zip
   md5sum: a1b9dbb410e76e2fd410d6766b1df210
   http://kb.vmware.com/kb/1010132

   ESX 3.5 ESX350-200904406-SG (vim)
   http://download3.vmware.com/software/vi/ESX350-200904406-SG.zip
   md5sum: a416ecc6e97fa484873026b8110672e7
   http://kb.vmware.com/kb/1010131

   ESX 3.0.3 ESX303-200903406-SG (openssl)
   http://download3.vmware.com/software/vi/ESX303-200903406-SG.zip
   md5sum: 45a2d32f9267deb5e743366c38652c92
   http://kb.vmware.com/kb/1008416

   ESX 3.0.3 ESX303-200903405-SG (bind)
   http://download3.vmware.com/software/vi/ESX303-200903405-SG.zip
   md5sum: 34d00fd9cca7f3e08c0857b4cc254710
   http://kb.vmware.com/kb/1008415

   ESX 3.0.3 ESX303-200903403-SG (vim)
   http://download3.vmware.com/software/vi/ESX303-200903403-SG.zip
   md5sum: 9790c9512aef18beaf0d1c7d405bed1a
   http://kb.vmware.com/kb/1008413

   ESX 3.0.2 ESX-1008409 (openssl)
   http://download3.vmware.com/software/vi/ESX-1008409.tgz
   md5sum: cb25fd47bc0713b968d8778c033bc846
   http://kb.vmware.com/kb/1008409

   ESX 3.0.2 ESX-1008408 (bind)
   http://download3.vmware.com/software/vi/ESX-1008408.tgz
   md5sum: b6bd9193892a9c89b9b7a1e0456d2a9a
   http://kb.vmware.com/kb/1008408

   ESX 3.0.2 ESX-1008406 (vim)
   http://download3.vmware.com/software/vi/ESX-1008406.tgz
   md5sum: f069daa58190b39e431cedbd26ce25ef
   http://kb.vmware.com/kb/1008406

   ESX 3.0.3 ESX303-200903405-SG (openssl)
   http://download3.vmware.com/software/vi/ESX303-200903406-SG.zip
   md5sum: 45a2d32f9267deb5e743366c38652c92
   http://kb.vmware.com/kb/1008416

   ESX 3.0.3 ESX303-200903405-SG (bind)
   http://download3.vmware.com/software/vi/ESX303-200903405-SG.zip
   md5sum: 34d00fd9cca7f3e08c0857b4cc254710
   http://kb.vmware.com/kb/1008415

   ESX 3.0.3 ESX303-200903403-SG (vim)
   http://download3.vmware.com/software/vi/ESX303-200903403-SG.zip
   md5sum: 9790c9512aef18beaf0d1c7d405bed1a
   http://kb.vmware.com/kb/1008413

   ESX 2.5.5 Upgrade Patch 13
   http://www.vmware.com/support/esx25/doc/esx-255-200905-patch.html
   http://download3.vmware.com/software/esx/esx-2.5.5-161312-upgrade.tar.gz
   md5sum: a477b7819f5a0d4cbd38b98432a48c88
   sha1sum: cceb38898108e48cc5b7e3298a03a369aa783699

5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0025
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4101
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3432
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2953

- - - ------------------------------------------------------------------------
6. Change log

2009-03-31  VMSA-2009-0004
Initial security advisory after release of patches for ESX 3.0.2 and
3.0.3 on 2009-03-31.
2009-04-29  VMSA-2009-0004.1
Added updated information for openssl, bind, and vim after the release
of patches for ESX 3.5 on 2009-04-29.
2009-06-01  VMSA-2009-0004.2
Added updated information for openssl, bind, and vim after the release
of patch for ESX 2.5.5 on 2009-05-28.
2010-01-06  VMSA-2009-0004.3
Added updated information for openssl after the release of patch
for ESX400-200912402-SG for ESX 4.0 on 2010-01-06.

- - - -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2009-2010 VMware Inc.  All rights reserved.

- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFLRYtAS2KysvBH1xkRAgMmAJ9lE3ggz32LZhtIz83FF+e/QIsDfwCcCn4c
5fa3W5qLkZxcvMQw9LGBgwU=
=r+vO
- - -----END PGP SIGNATURE-----

- - --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: https://www.auscert.org.au/1967

iD8DBQFLRn6UNVH5XJJInbgRAqavAJ0QWXmFItzmDmHb3De4xqZ/PF+JeACfZUyh
kUyHh60cNLk1RCc+pqhp2l8=
=Q2jh
-----END PGP SIGNATURE-----