Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0143.6
VMSA-2013-0001 - VMware vSphere security updates for the
authentication service and third party libraries
31 May 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware vSphere
VMware vCenter
VMware ESX
VMware ESXi
Publisher: VMware
Operating System: VMWare ESX Server
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-1405 CVE-2012-4244 CVE-2012-2871
CVE-2012-2870 CVE-2012-2825 CVE-2012-2807
CVE-2011-3970 CVE-2011-3102 CVE-2011-1202
Reference: ESB-2013.0136
ASB-2012.0147
ASB-2012.0121
ASB-2012.0096
ASB-2012.0073
ASB-2012.0019
ESB-2012.1108
ESB-2012.1026
ESB-2012.0986
ESB-2012.0956
ESB-2012.0940
ESB-2012.0939
ESB-2012.0894
ESB-2012.0887
ESB-2012.0886
ESB-2012.0885
ESB-2012.0872
ESB-2012.0871
ESB-2012.0737
ESB-2012.0492
ASB-2011.0034
ESB-2011.0488
Revision History: May 31 2013: Updated security advisory in conjunction with the release of ESX 4.0 patches on 2013-05-30.
April 30 2013: Updated security advisory for issue b) due to ESXi 5.1 update released on 2013-04-25.
April 2 2013: Updated security advisory for issue b) due to ESXi 5.0 update released on 2013-03-28.
February 25 2013: Updated security advisory to include vCenter 2.5 Update U6c and patches for ESX 3.5 released on 2013-02-21
February 11 2013: Updated security advisory to include vCenter 4.0 Update 4b and patches for ESX 4.0.
February 4 2013: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2013-0001.5
Synopsis: VMware vSphere security updates for the authentication
service and third party libraries
Issue date: 2013-01-31
Updated on: 2013-05-30
CVE numbers: --vSphere authentication ---
CVE-2013-1405
--libxml2 ---
CVE-2011-3102, CVE-2012-2807
--bind (service console) ---
CVE-2012-4244
--xslt (service console) ---
CVE-2011-1202, CVE-2011-3970, CVE-2012-2825,
CVE-2012-2870, CVE-2012-2871
- - ----------------------------------------------------------------------
1. Summary
VMware vSphere security updates for the authentication service and
third party libraries
2. Relevant releases
vCenter Server 4.1 without Update 3a
vCenter Server 4.0 without Update 4b
Virtual Center 2.5 without Update 6c
vSphere Client 4.1 without Update 3a
vSphere Client 4.0 without Update 4b
VI-Client 2.5 without Update 6c
ESXi 5.0 without Update 1
ESXi 5.0 without patch ESXi500-201303101-SG
ESXi 4.1 without patch ESXi410-201301401-SG
ESXi 4.0 without patches ESXi400-201302401-SG and ESXi400-201302403-SG
ESXi 3.5 without patches ESXe350-201302401-I-SG and
ESXe350-201302403-C-SG
ESX 4.1 without patches ESX410-201301401-SG, ESX410-201301402-SG,
ESX410-201301403-SG, and ESX410-201301405-SG
ESX 4.0 without patch ESX400-201302401-SG and ESX400-201305402-SG
ESX 3.5 without patch ESX350-201302401-SG
3. Problem Description
a. VMware vSphere client-side authentication memory corruption
vulnerability
VMware vCenter Server, vSphere Client, and ESX contain a
vulnerability in the handling of the management authentication
protocol. To exploit this vulnerability, an attacker must
convince either vCenter Server, vSphere Client or ESX to
interact with a malicious server as a client. Exploitation of
the issue may lead to code execution on the client system.
To reduce the likelihood of exploitation, vSphere components
should be deployed on an isolated management network.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2013-1405 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =================
vCenter Server 5.1 Windows not affected
vCenter Server 5.0 Windows not affected
vCenter Server 4.1 Windows 4.1 Update 3a
vCenter Server 4.0 Windows 4.0 Update 4b
VirtualCenter 2.5 Windows 2.5 Update 6c
vSphere Client 5.1 Windows not affected
vSphere Client 5.0 Windows not affected
vSphere Client 4.1 Windows 4.1 Update 3a **
vSphere Client 4.0 Windows 4.0 Update 4b **
VI-Client 2.5 Windows 2.5 Update 6c **
hosted * any any not affected
ESXi 5.1 ESXi not affected
ESXi 5.0 ESXi not affected
ESXi 4.1 ESXi ESXi410-201301401-SG
ESXi 4.0 ESXi ESXi400-201302401-SG
ESXi400-201302403-SG
(vSphere client)
ESXi 3.5 ESXi ESXe350-201302401-I-SG
ESXe350-201302403-C-SG
(vSphere client)
ESX 4.1 ESX ESX410-201301401-SG
ESX 4.0 ESX ESX400-201302401-SG
(includes vSphere client)
ESX 3.5 ESX ESX350-201302401-SG
(includes vSphere client)
* hosted products are VMware Workstation, Player, ACE, Fusion.
** To remediate CVE-2013-1405, customers must apply updates to
all components of the authentication service. First,
customers should update vCenter Server or ESXi/ESX as
appropriate to ensure that the updated vSphere Client is
downloaded. Then, the vSphere client can be updated using
any one of the following methods:
Run the installer that ships with vCenter Server
Follow the client installation link on the vCenter Server
welcome page
Follow the client installation link on the ESXi/ESX
Server welcome page
b. Update to ESX/ESXi libxml2 userworld and service console
The ESX/ESXi userworld libxml2 library has been updated to
resolve multiple security issues. Also, the ESX service console
libxml2 packages are updated to the following versions:
libxml2-2.6.26-2.1.15.el5_8.5
libxml2-python-2.6.26-2.1.15.el5_8.5
These updates fix multiple security issues. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2011-3102 and CVE-2012-2807 to these
issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
ESXi 5.1 ESXi see VMSA-2013-0004
ESXi 5.0 ESXi see VMSA-2013-0004
ESXi 4.1 ESXi ESXi410-201301401-SG
ESXi 4.0 ESXi no patch planned
ESXi 3.5 ESXi no patch planned
ESX 4.1 ESX ESX410-201301405-SG
ESX 4.0 ESX no patch planned
ESX 3.5 ESX no patch planned
c. Update to ESX service console bind packages
The ESX service console bind packages are updated to the
following versions:
bind-libs-9.3.6-20.P1.el5_8.2
bind-utils-9.3.6-20.P1.el5_8.2
These updates fix a security issue. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name
CVE-2012-4244 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201301402-SG
ESX 4.0 ESX ESX400-201305402-SG
ESX 3.5 ESX not applicable
d. Update to ESX service console libxslt package
The ESX service console libxslt package is updated to version
libxslt-1.1.17-4.el5_8.3 to resolve multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2011-1202, CVE-2011-3970,
CVE-2012-2825, CVE-2012-2870, and CVE-2012-2871 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201301403-SG
ESX 4.0 ESX not affected
ESX 3.5 ESX not applicable
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
vCenter Server 4.1 Update 3a
---------------------------
The download for vCenter Server includes vSphere Update Manager,
vSphere Client, and vCenter Orchestrator.
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_
vsphere/4_1
Release Notes:
https://www.vmware.com/support/vsphere4/doc/vsp_vc41_u3a_rel_notes.html
vCenter Server 4.0 Update 4b
---------------------------
The download for vCenter Server includes vSphere Update Manager,
vSphere Client, and vCenter Orchestrator.
Download link:
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_
vsphere/4_0
Release Notes:
https://www.vmware.com/support/vsphere4/doc/vsp_vc40_u4b_rel_notes.html
VirtualCenter 2.5 Update U6c
--------------------------
Download link:
http://downloads.vmware.com/d/info/datacenter_downloads/vmware_infrastructu
re_3/3_5
Release Notes:
https://www.vmware.com/support/vi3/doc/vi3_vc25u6c_rel_notes.html
ESXi and ESX
------------
https://my.vmware.com/web/vmware/downloads
ESXi 4.1
--------
File: ESXi410-201301001.zip
md5sum: 3543d3f16a1f1b1369dcdb5c25fa7106
sha1sum: cced12e87838a3b037c9ec99d8490809c61fe883
http://kb.vmware.com/kb/2041332
ESXi410-201301001 contains ESXi410-201301401-SG
ESXi 4.0
--------
File: ESXi400-201302001.zip
md5sum: 03dc9246239dd449bf21a122e7b1bcf3
sha1sum: 276346a186c068c1fdbf19e1b753b8a2dbc8c89c
http://kb.vmware.com/kb/2041344
ESXi400-201302001 contains ESXi400-201302401-SG and
ESXi400-201302403-SG
ESXi 3.5
--------
File: ESXe350-201302401-O-SG.zip
md5sum: a2c5f49bc865625b3796c41c202d1696
sha1sum: 12d25011d9940ea40d45f77a4e5bcc7e7b0c0cee
http://kb.vmware.com/kb/2042543
ESXi350-201302401-O-SG contains ESXe350-201302401-I-SG and
ESXe350-201302403-C-SG
ESX 4.1
-------
File: ESX410-201301001.zip
md5sum: 0219dbcbcc6fafe8bf33695682c8658d
sha1sum: 2eab9d56ac81f7d2d00c15b155bd93c36b0e03c3
http://kb.vmware.com/kb/2041331
ESX410-201301001 contains ESX410-201301401-SG, ESX410-201301402-SG,
ESX410-201301403-SG, and ESX410-201301405-SG
ESX 4.0
-------
File: ESX400-201302001.zip
md5sum: 2a883e737c3cde990fe4792c64c32fcd
sha1sum: 92c3b13ab3fdee73c335d5e8b41159f546def199
http://kb.vmware.com/kb/2041343
ESX400-201302001 contains ESX400-201302401-SG
ESX 3.5
-------
File: ESX350-201302401-SG.zip
md5sum: e703cb0bc3e1eaa8932a96ea96f34a00
sha1sum: 91dcf1bf7194a289652d0904dd7af8bce0a1d2dd
http://kb.vmware.com/kb/2042541
ESX350-201302401-SG contains ESX350-201302401-SG
5. References
--vSphere authentication ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1405
--libxml2 ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2807
--bind (service console) ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4244
--xslt (service console) ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2825
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2870
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2871
- - -----------------------------------------------------------------------
6. Change log
2013-01-31 VMSA-2013-0001
Initial security advisory in conjunction with the release of
vCenter 4.1 Update 3a and ESX 4.1 patches on 2013-01-31.
2013-02-07 VMSA-2013-0001.1
Updated security advisory to include vCenter 4.0 Update 4b and
patches for ESX 4.0 released on 2013-02-07.
2013-02-21 VMSA-2013-0001.2
Updated security advisory to include vCenter 2.5 Update U6c and
patches for ESX 3.5 released on 2013-02-21.
2013-02-21 VMSA-2013-0001.3
Updated security advisory for issue b) due to ESXi 5.0 update
released on 2013-03-28.
2013-04-25 VMSA-2013-0001.4
Updated security advisory for issue b) due to ESXi 5.1 update
released on 2013-04-25.
2013-05-30 VMSA-2013-0001.5
Updated security advisory in conjunction with the release
of ESX 4.0 patches on 2013-05-30.
- - -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2013 VMware Inc. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8
wj8DBQFRp5DSDEcm8Vbi9kMRAqopAJ9r4VWdJVpZmJcKBQ4n3cm+AJ4DPACgjD6W
foPhaLmq8I/V8d9BfZz7jhI=
=7QbF
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUahA4e4yVqjM2NGpAQLFNxAArR940n57+qbR150U4ns/Q97h0ZlT+A1p
xdyaSoU7qph1XLjwb0d35WHftWFZBaDYSPjzd2ZIN8RJ07sDdSitdaFLnzmi29MK
CN7vstgXizKXbmerVataCsN2OdUuHT2l3UtTxXhftyCTe9PGbRiCYGzlgfCgNeuV
g8kxIg292CwS1AqA0uYJ9+21hQ/TGh3XRqsl5zD4L1eWI373dd5aazhwuV25m7SU
mEH7nKMH3mfcj8SqRIf1quRdnbh9Ug61etKXYpW8XQCknqyT/oNyT0cosbTqaED3
lwDqxUUCZvTbJrGSZE+Jl2hcXaTQzljHRbBRBqgA+OdOu8iaQtSa4inn8L/DRI7Y
p3jQuMOIZBXXS0No1S5HESQy7BT6TcCj/CrMsa5yNfykAFrkcgSQv5T5JuPS72LO
MExeBLmyEm0UPNaG4kSLgFuT7JcT+pjm/Huu23tfjAPMjXNMpncsO1yvcwU4e+Cw
sYC382+q5+vjGQu/fCQuZZ4etT/MsHlTDuwVk1zGqhKCbeMcW+4+WlWXw6Tl7VKU
qBApE6OD9A/EcAw716F6e2g5eutqOQOIePGjvQgwGMKgHEWBfBtIPjkW43tP+oiC
PXzcJKoeaeyoTIhmV8EU4oym2fBIPHUOHMwGEXZZ5Z9DbbVM8KGTx8P5aTQ33/db
IWhjtqn6ejc=
=yPCJ
-----END PGP SIGNATURE-----