[Security-announce] VMSA-2011-0009 VMware hosted product updates, ESX patches and VI , Client update resolve multiple security issues

VMware Security Announcements security-announce at lists.vmware.com
Thu Jun 2 22:17:02 PDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                        VMware Security Advisory

Advisory ID:    VMSA-2011-0009
Synopsis:       VMware hosted product updates, ESX patches and VI
                Client update resolve multiple security issues
Issue date:     2011-06-02
Updated on:     2011-06-02 (initial release of advisory)
CVE numbers:    CVE-2009-4536 CVE-2010-1188 CVE-2009-3080 CVE-2010-2240
                CVE-2011-2146 CVE-2011-1787 CVE-2011-2145 CVE-2011-2217
- ------------------------------------------------------------------------

1. Summary

    VMware hosted product updates, ESX patches and VI Client update
    resolve multiple security issues.

2. Relevant releases

    VMware Workstation 7.1.3 and earlier.
    VMware Player 3.1.3 and earlier.

    VMware Fusion 3.1.2 and earlier.

    ESXi 4.1 without patch ESXi410-201104402-BG.
    ESXi 4.0 without patch ESXi400-201104402-BG.
    ESXi 3.5 without patches ESXe350-201105401-I-SG and
                             ESXe350-201105402-T-SG.

    ESX 4.1 without patch ESX410-201104401-SG
    ESX 4.0 without patch ESX400-201104401-SG
    ESX 3.5 without patches ESX350-201105401-SG,
                            ESX350-201105404-SG and
                            ESX350-201105406-SG.

3. Problem Description

    a. VMware vmkernel third party e1000 Driver Packet Filter Bypass

        There is an issue in the e1000 Linux driver for Intel PRO/1000
        adapters that allows a remote attacker to bypass packet filters.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CVE-2009-4536 to this issue.

        Column 4 of the following table lists the action required to
        remediate the vulnerability in each release, if a solution is
        available.

        VMware      Product     Running     Replace with/
        Product     Version     on          Apply Patch
        =========   ========    =======     =================
        vCenter     any         Windows     not affected

        hosted*     any         any         not affected

        ESXi        4.1         ESXi        patch pending
        ESXi        4.0         ESXi        patch pending
        ESXi        3.5         ESXi        ESXe350-201105401-I-SG

        ESX         4.1         ESX         patch pending
        ESX         4.0         ESX         patch pending
        ESX         3.5         ESX         ESX350-201105404-SG
        ESX         3.0.3       ESX         patch pending

        * hosted products are VMware Workstation, Player, ACE, Fusion.

    b. ESX third party update for Service Console kernel

        This update for the console OS kernel package resolves four
        security issues.

        1) IPv4 Remote Denial of Service
            An remote attacker can achieve a denial of service via an
            issue in the kernel IPv4 code.

            The Common Vulnerabilities and Exposures project
            (cve.mitre.org) has assigned the name CVE-2010-1188 to this
            issue.

        2) SCSI Driver Denial of Service / Possible Privilege Escalation
            A local attacker can achieve a denial of service and
            possibly a privilege escalation via a vulnerability in the
            Linux SCSI drivers.

            The Common Vulnerabilities and Exposures project
            (cve.mitre.org) has assigned the name CVE-2009-3080 to this
            issue.

        3) Kernel Memory Management Arbitrary Code Execution
            A context-dependent attacker can execute arbitrary code via
            a vulnerability in a kernel memory handling function.

            The Common Vulnerabilities and Exposures project
            (cve.mitre.org) has assigned the name CVE-2010-2240 to this
            issue.

        4) e1000 Driver Packet Filter Bypass
            There is an issue in the Service Console e1000 Linux driver
            for Intel PRO/1000 adapters that allows a remote attacker to
            bypass packet filters.

            The Common Vulnerabilities and Exposures project
            (cve.mitre.org) has assigned the name CVE-2009-4536 to this
            issue.

        Column 4 of the following table lists the action required to
        remediate the vulnerability in each release, if a solution is
        available.

        VMware      Product     Running     Replace with/
        Product     Version     on          Apply Patch
        =========   ========    =======     =================
        vCenter     any         Windows     not affected

        hosted*     any         any         not affected

        ESXi        any         ESXi        not affected

        ESX         4.1         ESX         not applicable
        ESX         4.0         ESX         not applicable
        ESX         3.5         ESX         ESX350-201105401-SG
        ESX         3.0.3       ESX         patch pending

        * hosted products are VMware Workstation, Player, ACE, Fusion.

    c. Multiple vulnerabilities in mount.vmhgfs

        This patch provides a fix for the following three security
        issues in the VMware Host Guest File System (HGFS). None of
        these issues affect Windows based Guest Operating Systems.

        1) Mount.vmhgfs Information Disclosure
            Information disclosure via a vulnerability that allows an
            attacker with access to the Guest to determine if a path
            exists in the Host filesystem and whether it is a file or
            directory regardless of permissions.

            The Common Vulnerabilities and Exposures project
            (cve.mitre.org) has assigned the name CVE-2011-2146 to this
            issue.

        2) Mount.vmhgfs Race Condition
            Privilege escalation via a race condition that allows an
            attacker with access to the guest to mount on arbitrary
            directories in the Guest filesystem and achieve privilege
            escalation if they can control the contents of the mounted
            directory.

            The Common Vulnerabilities and Exposures project
            (cve.mitre.org) has assigned the name CVE-2011-1787 to this
            issue.

        3) Mount.vmhgfs Privilege Escalation
            Privilege escalation via a procedural error that allows an
            attacker with access to the guest operating system to gain
            write access to an arbitrary file in the Guest filesystem.
            This issue only affects Solaris and FreeBSD Guest Operating
            Systems.

            The Common Vulnerabilities and Exposures project
            (cve.mitre.org) has assigned the name CVE-2011-2145 to this
            issue.

        VMware would like to thank Dan Rosenberg for reporting these
        issues.

        Column 4 of the following table lists the action required to
        remediate the vulnerability in each release, if a solution is
        available.

        VMware      Product     Running     Replace with/
        Product     Version     on          Apply Patch
        =========   ========    =======     =================
        vCenter     any         Windows     not affected

        Workstation 7.1.x       Linux       7.1.4 or later*
        Workstation 7.1.x       Windows     7.1.4 or later*

        Player      3.1.x       Linux       3.1.4 or later*
        Player      3.1.x       Windows     3.1.4 or later*

        AMS         any         any         not affected

        Fusion      3.1.x       OSX         Fusion 3.1.3 or later*

        ESXi        4.1         ESXi        ESXi410-201104402-BG*
        ESXi        4.0         ESXi        ESXi400-201104402-BG*
        ESXi        3.5         ESXi        ESXe350-201105402-T-SG*

        ESX         4.1         ESX         ESX410-201104401-SG*
        ESX         4.0         ESX         ESX400-201104401-SG*
        ESX         3.5         ESX         ESX350-201105406-SG*
        ESX         3.0.3       ESX         not affected

        *After the update is applied VMware Guest Tools must be
         updated in any pre-existing non-Windows guest operating
         systems.

    d. VI Client ActiveX vulnerabilities

        VI Client COM objects can be instantiated in Internet Explorer
        which may cause memory corruption. An attacker who succeeded in
        making the VI Client user visit a malicious Web site could
        execute code on the user's system within the security context of
        that user.

        VMware would like to thank Elazar Broad and iDefense for
        reporting this issue to us.

        The Common Vulnerabilities and Exposures Project (cve.mitre.org)
        has assigned the name CVE-2011-2217 to this issue.

        Affected versions.

        The vSphere Client which comes with vSphere 4.0 and vSphere 4.1
        is not affected. This is any build of vSphere Client Version
        4.0.0 and vSphere Client Version 4.1.0.

        VI Clients bundled with VMware Infrastructure 3 that are not
        affected are:
        - VI Client 2.0.2 Build 230598 and higher
        - VI Client 2.5 Build 204931 and higher

        The issue can be remediated by replacing an affected VI Client
        with the VI Client bundled with VirtualCenter 2.5 Update 6 or
        VirtualCenter 2.5 Update 6a.

4. Solution
    Please review the patch/release notes for your product and version
    and verify the checksum of your downloaded file.

    VMware Workstation 7.1.4
    ----------------------------

http://downloads.vmware.com/d/info/desktop_downloads/vmware_workstation/7_0
    Release notes:
    http://downloads.vmware.com/support/ws71/doc/releasenotes_ws714.html

    VMware Workstation for Windows 32-bit and 64-bit with VMware Tools
    md5sum: b52d064dff3e9fb009e0637d59b79c44
    sha1sum: bf4fe9e901b45e59b33852c4612e90fb77223d64

    VMware Workstation for Linux 32-bit with VMware Tools
    md5sum: 5f5f25b1cfd8990e46db07788fe0adab
    sha1sum: d5b4bfe0d22079988a7777dcc0f87a16b494b5f9

    VMware Workstation for Linux 64-bit with VMware Tools
    md5sum: 68b424f836f63c12b071a791f80b1593
    sha1sum: a7d1f461830db022af8f9d872c980fc59a83c5d6

    VMware Fusion 3.1.3
    ---------------------------

http://downloads.vmware.com/d/info/desktop_downloads/vmware_fusion_for_the_mac/3_0
    Release notes:

http://downloads.vmware.com/support/fusion3/doc/releasenotes_fusion_313.html

    VMware Fusion for Intel-based Macs
    md5sum: f35ac5c15354723468257d2a48dc4f76
    sha1sum: 3c849a62c45551fddb16eebf298cef7279d622a9

    VMware Player 3.1.4
    ---------------------------
    http://downloads.vmware.com/d/info/desktop_downloads/vmware_player/3_0
    Release notes:
    https://www.vmware.com/support/player31/doc/releasenotes_player314.html

    VMware Player 3.1.4 for 32-bit and 64-bit Windows
    md5sum: 29dd5fefe40af929dba40185eb6d4804
    sha1sum: ac00488dd9e412beea2366c167ceb87ed262054f

    VMware Player 3.1.4 for 32-bit Linux
    md5sum: 75a41b63836d19db34f5551846c8b11d
    sha1sum: 7350051c0fc781604d1d46bc24003434cbcd3b26

    VMware Player 3.1.4 for 64-bit Linux
    md5sum: a7fdadfb2af8d9f76571cd06f2439041
    sha1sum: 90031375a9c10d9a0a5e32be154c856693ad7526

    VMware ESXi 4.1
    ---------------------------
    ESXi410-201104001
    Download link:

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-276-20110420-682352/ESXi410-201104001.zip
    md5sum: 23bd026d6cbca718fe50ed1dd73cfe9d
    sha1sum: 82fa6da02a1f37430a15a659254426b3d3a62662
    http://kb.vmware.com/kb/1035111

    ESXi410-201104001 contains ESXi410-201104402-BG.

    VMware ESX 4.1
    -------
    ESX410-201104001
    Download link:

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-275-20110420-062017/ESX410-201104001.zip
    md5sum: 757c3370ae63c75ef5b2178bd35a4ac3
    sha1sum: 95cfdc08e0988b4a0c0c3ea1a1acc1c661979888
    http://kb.vmware.com/kb/1035110

    Note ESX410-201104001 contains ESX410-201104401-SG.

    VMware ESXi 4.0
    ---------------------------
    ESXi400-201104001
    Download link:

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-278-20110424-080274/ESXi400-201104001.zip
    md5sum: 08216b7ba18988f608326e245ac27e98
    sha1sum: 508a04532f0af007ce7c9d7693371470ed8257f0
    http://kb.vmware.com/kb/1037261

    Note ESXi400-201104001 contains ESXi400-201104402-BG.

    VMware ESX 4.0
    ---------------------------
    ESX400-201104001
    Download link:

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-277-20110424-816604/ESX400-201104001.zip

    md5sum: 1a305fbf6c751403e56ef4e33cabde06
    sha1sum: bc7577cb80e69fbe81e3e9272a182deb42987b3d
    http://kb.vmware.com/kb/1037260

    Note ESX400-201104001 contains ESX400-201104401-SG.

    VMware ESXi 3.5
    ---------------------------
    ESXe350-201105401-O-SG
    Download link:
    http://download3.vmware.com/software/vi/ESXe350-201105401-O-SG.zip
    md5sum: 9bc9296cae1fbecf417f60941590fcb4
    sha1sum: d6902377f57e3b05b08c07a810d6b58fa30aa8d5
    http://kb.vmware.com/kb/1036403

    Note ESXe350-201105401-O-SG contains the following security fixes:
    ESXe350-201105402-T-SG and ESXe350-201105401-I-SG

    VMware ESX 3.5
    ---------------------------
    ESX350-201105401-SG
    Download link:
    http://download3.vmware.com/software/vi/ESX350-201105401-SG.zip
    md5sum: 2853ca6e75ef5e856ec582151908ad93
    sha1sum: c538971d47af4b813348d87bf2f4fa6acd9292f7
    http://kb.vmware.com/kb/1036399

    ESX350-201105404-SG
    Download link:
    http://download3.vmware.com/software/vi/ESX350-201105404-SG.zip
    md5sum: 7403d4a06e2bdb9cdfb5590432f51bf8
    sha1sum: 1700d6175524680b982ca4430cff77b5f7cb15c4
    http://kb.vmware.com/kb/1036402

    ESX350-201105406-SG
    Download link:
    http://download3.vmware.com/software/vi/ESX350-201105406-SG.zip
    md5sum: 6c695f7d021f751959aec08fed94df11
    sha1sum: 83a862c469e7f3334e2a78f6b81d98c02108b708
    http://kb.vmware.com/kb/1036754

5. References

    CVE numbers
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4536
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1188
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3080
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2240
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2146
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1787
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2145
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2217

- ------------------------------------------------------------------------
6. Change log
    2011-06-02 VMSA-2011-0009
    Initial security advisory in conjunction with the release of ESX 3.5
    patches on 2011-06-02.

- ------------------------------------------------------------------------

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2011 VMware Inc.  All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3obk4ACgkQDEcm8Vbi9kPxTQCfXvijx70kof3qf0xqgvJcyYAw
UNEAni6n80vtX9DZe66c80h0mP+UIM+3
=FWdP
-----END PGP SIGNATURE-----


More information about the Security-announce mailing list