[Security-announce] UPDATED VMSA-2008-0005.1 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues

security-announce at lists.vmware.com security-announce at lists.vmware.com
Thu Apr 24 16:50:52 PDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2008-0005.1
Synopsis:          Updated VMware Workstation, VMware Player, VMware
                   Server, VMware ACE, and VMware Fusion resolve
                   critical security issues
Issue date:        2008-03-17
Updated on:        2008-04-24
CVE numbers:       CVE-2008-0923 CVE-2008-0923 CVE-2008-1361
                   CVE-2008-1362 CVE-2007-5269 CVE-2006-2940
                   CVE-2006-2937 CVE-2006-4343 CVE-2006-4339
                   CVE-2007-5618 CVE-2008-1364 CVE-2008-1363
                   CVE-2008-1340
- -------------------------------------------------------------------

1. Summary:

   Several critical security vulnerabilities have been addressed
   in the newest releases of VMware's hosted product line.

2. Relevant releases:

   VMware Workstation 6.0.2 and earlier
   VMware Workstation 5.5.4 and earlier
   VMware Player 2.0.2 and earlier
   VMware Player 1.0.4 and earlier
   VMware ACE 2.0.2 and earlier
   VMware ACE 1.0.2 and earlier
   VMware Server 1.0.4 and earlier
   VMware Fusion 1.1.1 and earlier

3. Problem description:

 a.  Host to guest shared folder (HGFS) traversal vulnerability

     On Windows hosts, if you have configured a VMware host to guest
     shared folder (HGFS), it is possible for a program running in the
     guest to gain access to the host's file system and create or modify
     executable files in sensitive locations.

NOTE: VMware Server is not affected because it doesn't use host to
      guest shared folders.  No versions of ESX Server, including
      ESX Server 3i, are affected by this vulnerability.  Because
      ESX Server is based on a bare-metal hypervisor architecture
      and not a hosted architecture, and it doesn't include any
      shared folder abilities.  Fusion and Linux based hosted
      products are unaffected.

     VMware would like to thank CORE Security Technologies for
     working with us on this issue.  This addresses advisory
     CORE-2007-0930.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2008-0923 to this issue.

     Hosted products
     ---------------
     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

 b.  Insecure named pipes

     An internal security audit determined that a malicious Windows
     user could attain and exploit LocalSystem privileges by causing
     the authd process to connect to a named pipe that is opened and
     controlled by the malicious user.

     The same internal security audit determined that a malicious
     Windows user could exploit an insecurely created named pipe
     object to escalate privileges or create a denial of service
     attack.  In this situation, the malicious user could
     successfully impersonate authd and attain privileges under
     which Authd is executing.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the names CVE-2008-1361, CVE-2008-1362 to these
     issues.

     Windows Hosted products
     ---------------
     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

 c.  Updated libpng library to version 1.2.22 to address various security
     vulnerabilities

     Several flaws were discovered in the way libpng handled various PNG image
     chunks. An attacker could create a carefully crafted PNG image file in
     such a way that it could cause an application linked with libpng to crash
     when the file was manipulated.

     The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned
     the name CVE-2007-5269 to this issue.

     Hosted products
     ---------------
     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

     NOTE: Fusion is not affected by this issue.

 d.  Updated OpenSSL library to address various security vulnerabilities

     Updated OpenSSL fixes several security flaws were discovered
     in previous versions of OpenSSL.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     assigned the following names to these issues: CVE-2006-2940,
     CVE-2006-2937, CVE-2006-4343, CVE-2006-4339.

     Hosted products
     ---------------
     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

     NOTE: Fusion is not affected by this issue.

 e.  VIX API default setting changed to a more secure default value

     Workstation 6.0.2 allowed anonymous console access to the guest by means
     of the VIX API. This release, Workstation 6.0.3, disables this feature.
     This means that the Eclipse Integrated Virtual Debugger and the Visual
     Studio Integrated Virtual Debugger will now prompt for user account
     credentials to access a guest.

     Hosted products
     ---------------
     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)

 f.  Windows 2000 based hosted products privilege escalation vulnerability

     This release addresses a potential privilege escalation on
     Windows 2000 hosted products.  Certain services may be improperly
     registered and present a security vulnerability to Windows 2000 machines.

     VMware would like to thank Ray Hicken for reporting this issue and
     David Maciejak for originally pointing out these types of
     vulnerabilities.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     assigned the name CVE-2007-5618 to this issue.

     Windows versions of Hosted products
     ---------------
     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

     NOTE: Fusion and Linux based products are not affected by this issue.

 g.  DHCP denial of service vulnerability

     A potential denial of service issue affects DHCP service running
     on the host.

     VMware would like to thank Martin O'Neal for reporting this issue.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     assigned the name CVE-2008-1364 to this issue.

     Hosted products
     ---------------
     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)
     VMware Fusion      1.1 upgrade to version 1.1.1 (Build# 72241)

     NOTE: This issue doesn't affect the latest versions of VMware
           Workstation 6, VMware Player 2, and ACE 2 products.

 h.  Local Privilege Escalation on Windows based platforms by
     Hijacking VMware VMX configuration file

     VMware uses a configuration file named "config.ini" which
     is located in the application data directory of all users.
     By manipulating this file, a user could gain elevated
     privileges by hijacking the VMware VMX process.

     VMware would like to thank Sun Bing for reporting the issue.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     assigned the name CVE-2008-1363 to this issue.

     Windows based Hosted products
     ---------------
     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

 i.  Virtual Machine Communication Interface (VMCI) memory corruption
     resulting in denial of service

     VMCI was introduced in VMware Workstation 6.0, VMware Player 2.0,
     and VMware ACE 2.0.  It is an experimental, optional feature and
     it may be possible to crash the host system by making specially
     crafted calls to the VMCI interface.  This may result in denial
     of service via memory exhaustion and memory corruption.

     VMware would like to thank Andrew Honig of the Department of
     Defense for reporting this issue.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     assigned the name CVE-2008-1340 to this issue.

     Hosted products
     ---------------
     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
     VMware Fusion      1.1.1 upgrade to version 1.1.2 (Build# 87978)

4. Solution:

Please review the Patch notes for your product and version and verify the
md5sum of your downloaded file.

  VMware Workstation 6.0.3
  ------------------------
  http://www.vmware.com/download/ws/
  Release notes:
  http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
  Windows binary
  md5sum:  323f054957066fae07735160b73b91e5
  RPM Installation file for 32-bit Linux
  md5sum:  c44183ad11082f05593359efd220944e
  tar Installation file for 32-bit Linux
  md5sum:  57601f238106cb12c1dea303ad1b4820
  RPM Installation file for 64-bit Linux
  md5sum:  e9ba644be4e39556724fa2901c5e94e9
  tar Installation file for 64-bit Linux
  md5sum:  d8d423a76f99a94f598077d41685e9a9

  VMware Workstation 5.5.5
  ------------------------
  http://www.vmware.com/download/ws/ws5.html
  Release notes:
  http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html
  Windows binary
  md5sum:  9c2dd94db5eed93d7f64e8d6ba8d8bd3
  Compressed Tar archive for 32-bit Linux
  md5sum:  77401c0842a151f0b2db0b4fcb0d16eb
  Linux RPM version for 32-bit Linux
  md5sum:  c222b6db934deb9c1bb79b16b25a3202

  VMware Server 1.0.5
  -------------------
  http://www.vmware.com/download/server/
  Release notes:
  http://www.vmware.com/support/server/doc/releasenotes_server.html
  VMware Server for Windows 32-bit and 64-bit
  md5sum:  3c4a57310c55e17bf8e4a1059d5b36cc
  VMware Server Windows client package
  md5sum:  cb3dd2439203dc510f4d95f06ba59d21
  VMware Server for Linux
  md5sum:  161dcbe5af9bbd9834a86bf7c599903e
  VMware Server for Linux rpm
  md5sum:  fc3b81ed18b53eda943a992971e9f84a
  Management Interface
  md5sum:  dd10d25895d9994bd27ca896152f48ef
  VMware Server Linux client package
  md5sum:  aae18f1f7b8811b5499e3a358754d4f8

  VMware ACE 2.0.3 and 1.0.5
  --------------------------
  http://www.vmware.com/download/ace/
  Windows Release notes:
  http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html

  VMware Fusion 1.1.1
  -------------------
  http://www.vmware.com/download/fusion/
  Release notes:
  http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html
  md5sum:  38e116ec26b30e7a6ac47c249ef650d0

  VMware Fusion 1.1.2
  -------------------
  http://www.vmware.com/download/fusion/
  Release notes:
  http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html
  md5sum:  D15A3DFD3E7B11FC37AC684586086D2B

  VMware Player 2.0.3 and 1.0.6
  ----------------------
  http://www.vmware.com/download/player/
  Release notes Player 1.x:
  http://www.vmware.com/support/player/doc/releasenotes_player.html
  Release notes Player 2.0
  http://www.vmware.com/support/player2/doc/releasenotes_player2.html
  2.0.3 Windows binary
  md5sum:  0c5009d3b569687ae139e13d24c868d3
  VMware Player 2.0.3 for Linux (.rpm)
  md5sum:  53502b2112a863356dcd13dd0d8dd8f2
  VMware Player 2.0.3 for Linux (.tar)
  md5sum:  2305fcff49bef6e4ad83742412eac978
  VMware Player 2.0.3 - 64-bit (.rpm)
  md5sum:  cf945b571c4d96146ede010286fdfca5
  VMware Player 2.0.3 - 64-bit (.tar)
  md5sum:  f99c5b293eb87c5f918ad24111565b9f
  1.0.6 Windows binary
  md5sum:  895081406c4de5361a1700ec0473e49c
  Player 1.0.6 for Linux (.rpm)
  md5sum:  8adb23799dd2014be0b6d77243c76942
  Player 1.0.6 for Linux (.tar)
  md5sum:  c358f8e1387fb60863077d6f8a9f7b3f

5. References:

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0923
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1361
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1362
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5618
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1364
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1363
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1340

6. Change log:

2008-03-17  VMSA-2008-0005    Initial release
2008-04-24  VMSA-2008-0005.1  Added information for
                              Fusion 1.1.2 released on 04/23/08
                              for item i.

- -------------------------------------------------------------------
7. Contact:

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFIERzFS2KysvBH1xkRCH44AJ0e7X4nrMgZNOCyfC11GDUx4XOCFwCffMbQ
icsAxBg10sRULIYif7sKL38=
=4GYA
-----END PGP SIGNATURE-----



More information about the Security-announce mailing list