-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2015.0196.2
       VMware vCenter Server, ESXi, Workstation, Player, and Fusion
                      updates address security issues
                             27 February 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          VMware vCenter Server
                  VMware ESXi
                  VMware Workstation
                  VMware Player
                  VMware Fusion
Publisher:        VMware
Operating System: VMware ESX Server
                  Windows
                  UNIX variants (UNIX, Linux, OSX)
Impact/Access:    Increased Privileges     -- Existing Account            
                  Denial of Service        -- Remote/Unauthenticated      
                  Access Confidential Data -- Remote with User Interaction
                  Reduced Security         -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2015-1044 CVE-2015-1043 CVE-2014-8370
                  CVE-2014-3660 CVE-2014-3568 CVE-2014-3567
                  CVE-2014-3566 CVE-2014-3513 

Reference:        ASB-2014.0122
                  ESB-2014.1874

Revision History: February 27 2015: Updated security advisory in conjunction 
                  with the release of VMware ESXi 5.0 Patches released on 
                  2015-02-26
                  January  28 2015: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2015-0001.1
Synopsis:    VMware vCenter Server, ESXi, Workstation, Player, and Fusion
             updates address security issues
Issue date:  2015-01-27
Updated on:  2015-02-26
CVE number:  CVE-2014-8370, CVE-2015-1043, CVE-2015-1044

             --- OPENSSL---
             CVE-2014-3513, CVE-2014-3567,CVE-2014-3566, CVE-2014-3568

             --- libxml2 ---
             CVE-2014-3660
- - ------------------------------------------------------------------------

1. Summary

   VMware vCenter Server, ESXi, Workstation, Player and Fusion address
   several security issues.

2. Relevant Releases

   VMware Workstation 10.x prior to version 10.0.5

   VMware Player 6.x prior to version 6.0.5

   VMware Fusion 7.x prior to version 7.0.1
   VMware Fusion 6.x prior to version 6.0.5

   vCenter Server 5.5 prior to Update 2d

   ESXi 5.5 without patch ESXi550-201403102-SG, ESXi550-201501101-SG
   ESXi 5.1 without patch ESXi510-201404101-SG
   ESXi 5.0 without patch ESXi500-201405101-SG, ESXi500-201502101-SG

3. Problem Description

   a. VMware ESXi, Workstation, Player, and Fusion host privilege
      escalation vulnerability

      VMware ESXi, Workstation, Player and Fusion contain an arbitrary
      file write issue. Exploitation this issue may allow for privilege
      escalation on the host.

      The vulnerability does not allow for privilege escalation from
      the guest Operating System to the host or vice-versa. This means
      that host memory can not be manipulated from the Guest Operating
      System.

      Mitigation

      For ESXi to be affected, permissions must have been added to ESXi
      (or a vCenter Server managing it) for a virtual machine
      administrator role or greater.

      VMware would like to thank Shanon Olsson for reporting this issue to
      us through JPCERT.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2014-8370 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware         Product    Running   Replace with/
      Product        Version    on        Apply Patch
      =============  =======    =======   =================
      Workstation    11.x       any       not affected
      Workstation    10.x       any       10.0.5

      Player         7.x        any       not affected
      Player         6.x        any       6.0.5

      Fusion         7.x        any       not affected
      Fusion         6.x        any       6.0.5

      ESXi           5.5        ESXi      ESXi550-201403102-SG
      ESXi           5.1        ESXi      ESXi510-201404101-SG
      ESXi           5.0        ESXi      ESXi500-201405101-SG

   b. VMware Workstation, Player, and Fusion Denial of Service
      vulnerability

      VMware Workstation, Player, and Fusion contain an input
      validation issue in the Host Guest File System (HGFS).
      This issue may allow for a Denial of Service of the Guest
      Operating system.

      VMware would like to thank Peter Kamensky from Digital
      Security for reporting this issue to us.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2015-1043 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware         Product    Running   Replace with/
      Product        Version    on        Apply Patch
      =============  =======    =======   =================
      Workstation    11.x       any       not affected
      Workstation    10.x       any       10.0.5

      Player         7.x        any       not affected
      Player         6.x        any       6.0.5

      Fusion         7.x        any       7.0.1
      Fusion         6.x        any       6.0.5

   c. VMware ESXi, Workstation, and Player Denial of Service
      vulnerability

      VMware ESXi, Workstation, and Player contain an input
      validation issue in VMware Authorization process (vmware-authd).
      This issue may allow for a Denial of Service of the host. On
      VMware ESXi and on Workstation running on Linux the Denial of
      Service would be partial.

      VMware would like to thank Dmitry Yudin @ret5et for reporting
      this issue to us through HP's Zero Day Initiative.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2015-1044 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware         Product    Running   Replace with/
      Product        Version    on        Apply Patch
      =============  =======    =======   =================
      Workstation    11.x       any       not affected
      Workstation    10.x       any       10.0.5

      Player         7.x        any       not affected
      Player         6.x        any       6.0.5

      Fusion         7.x        any       not affected
      Fusion         6.x        any       not affected

      ESXi           5.5        ESXi      ESXi550-201501101-SG
      ESXi           5.1        ESXi      ESXi510-201410101-SG
      ESXi           5.0        ESXi      not affected

   d. Update to VMware vCenter Server and ESXi for OpenSSL 1.0.1
      and 0.9.8 package

      The OpenSSL library is updated to version 1.0.1j or 0.9.8zc
      to resolve multiple security issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2014-3513, CVE-2014-3567,
      CVE-2014-3566 (â\x{128}\x{156}POODLEâ\x{128}\x{157}) and CVE-2014-3568 to these issues.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware         Product    Running   Replace with/
      Product        Version    on        Apply Patch
      =============  =======    =======   =================
      vCenter Server 5.5        any       Update 2d*
      vCenter Server 5.1        any       patch pending
      vCenter Server 5.0        any       patch pending

      ESXi           5.5        ESXi      ESXi550-201501101-SG
      ESXi           5.1        ESXi      patch pending
      ESXi           5.0        ESXi      ESXi500-201502101-SG

      * The VMware vCenter 5.5 SSO component will be updated
        in a later release.

   e. Update to ESXi libxml2 package

      The libxml2 library is updated to version libxml2-2.7.6-17
      to resolve a security issue.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2014-3660 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware         Product    Running   Replace with/
      Product        Version    on        Apply Patch
      =============  =======    =======   =================
      ESXi           5.5        ESXi      ESXi550-201501101-SG
      ESXi           5.1        ESXi      patch pending
      ESXi           5.0        ESXi      patch pending

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   VMware Workstation 10.x
   --------------------------------
   https://www.vmware.com/go/downloadworkstation

   VMware Player 6.x
   --------------------------------
   https://www.vmware.com/go/downloadplayer

   VMware Fusion 7.x and 6.x
   --------------------------------
   https://www.vmware.com/go/downloadplayer

   vCenter Server
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   ESXi 5.5 Update 2d
   ----------------------------
   File: update-from-esxi5.5-5.5_update01.zip
   md5sum: 5773844efc7d8e43135de46801d6ea25
   sha1sum: 6518355d260e81b562c66c5016781db9f077161f
   http://kb.vmware.com/kb/2065832
   update-from-esxi5.5-5.5_update01 contains ESXi550-201403102-SG

   ESXi 5.5
   ----------------------------
   File: ESXi550-201501001.zip
   md5sum: b0f2edd9ad17d0bae5a11782aaef9304
   sha1sum: 9cfcb1e2cf1bb845f0c96c5472d6b3a66f025dd1
   http://kb.vmware.com/kb/2099265
   ESXi550-201501001.zip contains ESXi550-201501101-SG

   ESXi 5.1
   ----------------------------
   File: ESXi510-201404001.zip
   md5sum: 9dc3c9538de4451244a2b62d247e52c4
   sha1sum: 6b1ea36a2711665a670afc9ae37cdd616bb6da66
   http://kb.vmware.com/kb/2070666
   ESXi510-201404001 contains ESXi510-201404101-SG

   ESXi 5.0
   ----------------------------
   File: ESXi500-201405001.zip
   md5sum: 7cd1afc97f5f1e4b4132c90835f92e1d
   sha1sum: 4bd77eeb5d7fc65bbb6f25762b0fa74fbb9679d5
   http://kb.vmware.com/kb/2075521
   ESXi500-201405001 contains  ESXi500-201405101-SG

   ESXi 5.0
   ----------------------------
   File: ESXi500-201502001.zip
   md5sum: 0e81d3c7702d6f08c1a5ebe743c8c42b
   sha1sum: 6f16a03f413c1af4db3e181c2ccd6aa01141035d
   http://kb.vmware.com/kb/2101910
   ESXi500-201502001 contains ESXi500-201502101-SG

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8370
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1043
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1044
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660

- - ------------------------------------------------------------------------

6. Change log

   2015-01-27 VMSA-2015-0001
   Initial security advisory in conjunction with the release of VMware
   Workstation 10.0.5, VMware Player 6.0.5, vCenter Server 5.5 Update 2d
   and, ESXi 5.5 Patches released on 2015-01-27.

   2015-02-26 VMSA-2015-0001.1
   Updated security advisory in conjunction with the release
   of VMware ESXi 5.0 Patches released on 2015-02-26.

- - ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2015 VMware Inc.  All rights reserved.

- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlTvZKoACgkQDEcm8Vbi9kPLdQCgkxPWLqgLx+H8FIA1rDh9PGJ7
WUgAoL2IPcyQ0FgDxTm4rLW+e/gKRzBq
=h+C7
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVO+7AxLndAQH1ShLAQI1cw//XmU59PtkJ9zoU15CY4IhS5XLhCn5KQ2P
Kg2BHnGapHilsGpTmCf7bFLNX5xvjmE0fhECbwFx3SskW1pQZh6UkfkwcVozpVX6
elY9L+06GU9sAr4GXsPwu/S4YpjKUWY2AJDv93AxTFWy/EP+0fr0tZZIEuoBKoqX
8ebW+HTRL0My5p9UHtlzuK6ZMYkqvTizpgsPsdv6Zq9k82BTFZpBO6G4YLo2mvp2
qrpoRt3IQ337naVlQn+h3r3Z99yN85n/7VBzD22adbu5UleWzkccivUyrV1F+52m
Fe7G7A/dw2qWlz4MCy6xym0isCvK09IQXk2cpdTy8Z7PKqdkBtYDbt3x2ufCHiaq
mvmugf9u+92FJJBgY+AVRVCIbrM73xGKKHuitmrl9nl0NdVXDc8BmVrkQcdqDK1U
C1BdfdavQT3FEN37tR5FweUb0f4VJ5s2kKJYSMmShDlUFKHb1Ds1qFlDF2rx2/Vw
qs3jSN3c0HZwHB03ay7VLnKUCxNJp6c1ZfXZ+Gf2/qt67kffmMJwS1M9HbERas9l
m7C5v+NUKEzlIWvpjFdf2MBuBmge9JJ9CWMt9DRw9Xgpg35NQoRpSYgEHv9JYwHo
lu323eAFksAWJUMu+nKpVJvLcad1U6yqL1Dxttjr6JEyBNaE1aw1a1UwEEzPIy8e
DH7ml2EPgYc=
=N6LU
-----END PGP SIGNATURE-----