[Security-announce] UPDATED VMSA-2011-0009.3 VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues

VMware Security Announcements security-announce at lists.vmware.com
Thu Dec 15 22:13:45 PST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 ------------------------------------------------------------------------
                        VMware Security Advisory

Advisory ID: VMSA-2011-0009.3

Synopsis:    VMware hosted product updates, ESX patches and VI Client
             update resolve multiple security issues
Issue date:  2011-06-02
Updated on:  2011-12-15
CVE numbers: CVE-2009-4536 CVE-2010-1188 CVE-2009-3080 CVE-2010-2240
             CVE-2011-2146 CVE-2011-1787 CVE-2011-2145 CVE-2011-2217
 ------------------------------------------------------------------------

1. Summary

    VMware hosted product updates, ESX patches and VI Client update
    resolve multiple security issues.

2. Relevant releases

    VMware Workstation 7.1.3 and earlier.
    VMware Player 3.1.3 and earlier.

    VMware Fusion 3.1.2 and earlier.

    ESXi 5.0 without patch ESXi500-201112403-SG
    ESXi 4.1 without patches ESXi410-201104402-BG and ESXi410-201110201-SG
    ESXi 4.0 without patch ESXi400-201110401-SG
    ESXi 3.5 without patches ESXe350-201105401-I-SG and
                             ESXe350-201105402-T-SG

    ESX 4.1 without patches ESX410-201104401-SG and ESX410-201110225-SG
    ESX 4.0 without patches ESX400-201104401-SG and
                            ESX400-201110410-SG
    ESX 3.5 without patches ESX350-201105401-SG,
                            ESX350-201105404-SG and
                            ESX350-201105406-SG

3. Problem Description

 a. VMware vmkernel third party e1000(e) Driver Packet Filter Bypass

	 There is an issue in the e1000(e) Linux driver for Intel PRO/1000
	 adapters that allows a remote attacker to bypass packet filters.

	 The Common Vulnerabilities and Exposures project (cve.mitre.org)
	 has assigned the name CVE-2009-4536 to this issue.

	 Column 4 of the following table lists the action required to
	 remediate the vulnerability in each release, if a solution is
	 available.

	 VMware      Product     Running     Replace with/
	 Product     Version     on          Apply Patch
	 =========   ========    =======     =================
	 vCenter     any         Windows     not affected

	 hosted*     any         any         not affected

	 ESXi        5.0         ESXi        ESXi500-201112403-SG
	 ESXi        4.1         ESXi        ESXi410-201110201-SG
	 ESXi        4.0         ESXi        ESXi400-201110401-SG
	 ESXi        3.5         ESXi        ESXe350-201105401-I-SG

	 ESX         4.1         ESX         ESX410-201110225-SG
	 ESX         4.0         ESX         ESX400-201110410-SG
	 ESX         3.5         ESX         ESX350-201105404-SG
	 ESX         3.0.3       ESX         no patch planned

  	 * hosted products are VMware Workstation, Player, ACE,
           Fusion.

 b. ESX third party update for Service Console kernel

	 This update for the console OS kernel package resolves four
	 security issues.

	 1) IPv4 Remote Denial of Service

	     An remote attacker can achieve a denial of service via an
	     issue in the kernel IPv4 code.

	     The Common Vulnerabilities and Exposures project
   	     (cve.mitre.org) has assigned the name CVE-2010-1188 to
   	     this issue.

	 2) SCSI Driver Denial of Service / Possible Privilege Escalation

	     A local attacker can achieve a denial of service and
	     possibly a privilege escalation via a vulnerability in
	     the Linux SCSI drivers.

	     The Common Vulnerabilities and Exposures project
	     (cve.mitre.org) has assigned the name CVE-2009-3080 to
	     this issue.

	 3) Kernel Memory Management Arbitrary Code Execution

	     A context-dependent attacker can execute arbitrary code
	     via a vulnerability in a kernel memory handling function.

	     The Common Vulnerabilities and Exposures project
	     (cve.mitre.org) has assigned the name CVE-2010-2240 to
	     this issue.

	 4) e1000 Driver Packet Filter Bypass

	     There is an issue in the Service Console e1000 Linux
	     driver for Intel PRO/1000 adapters that allows a remote
	     attacker to bypass packet filters.

	     The Common Vulnerabilities and Exposures project
	     (cve.mitre.org) has assigned the name CVE-2009-4536 to
	     this issue.

	 Column 4 of the following table lists the action required to
	 remediate the vulnerability in each release, if a solution is
	 available.

	 VMware      Product     Running     Replace with/
	 Product     Version     on          Apply Patch
	 =========   ========    =======     =================
	 vCenter     any         Windows     not affected

	 hosted*     any         any         not affected

	 ESXi        any         ESXi        not affected

	 ESX         4.1         ESX         not applicable
	 ESX         4.0         ESX         not applicable
	 ESX         3.5         ESX         ESX350-201105401-SG
	 ESX         3.0.3       ESX         no patch planned

	 * hosted products are VMware Workstation, Player, ACE,
           Fusion.

 c. Multiple vulnerabilities in mount.vmhgfs

	 This patch provides a fix for the following three security
	 issues in the VMware Host Guest File System (HGFS). None of
	 these issues affect Windows based Guest Operating Systems.

	 1) Mount.vmhgfs Information Disclosure

	     Information disclosure via a vulnerability that allows an
	     attacker with access to the Guest to determine if a path
	     exists in the Host filesystem and whether it is a file or
	     directory regardless of permissions.

	     The Common Vulnerabilities and Exposures project
	     (cve.mitre.org) has assigned the name CVE-2011-2146 to
	     this issue.

	 2) Mount.vmhgfs Race Condition

	     Privilege escalation via a race condition that allows an
	     attacker with access to the guest to mount on arbitrary
	     directories in the Guest filesystem and achieve privilege
	     escalation if they can control the contents of the
	     mounted directory.

	     The Common Vulnerabilities and Exposures project
	     (cve.mitre.org) has assigned the name CVE-2011-1787 to
	     this issue.

	 3) Mount.vmhgfs Privilege Escalation

	     Privilege escalation via a procedural error that allows
	     an attacker with access to the guest operating system to
	     gain write access to an arbitrary file in the Guest
	     filesystem.  This issue only affects Solaris and FreeBSD
	     Guest Operating Systems.

	     The Common Vulnerabilities and Exposures project
	     (cve.mitre.org) has assigned the name CVE-2011-2145 to
	     this issue.

	 VMware would like to thank Dan Rosenberg for reporting these
	 issues.

	 Column 4 of the following table lists the action required to
	 remediate the vulnerability in each release, if a solution is
	 available.

	 VMware      Product     Running     Replace with/
	 Product     Version     on          Apply Patch
	 =========   ========    =======     =================
	 vCenter     any         Windows     not affected

	 Workstation 7.1.x       Linux       7.1.4 or later*
	 Workstation 7.1.x       Windows     7.1.4 or later*

	 Player      3.1.x       Linux       3.1.4 or later*
	 Player      3.1.x       Windows     3.1.4 or later*

	 AMS         any         any         not affected

	 Fusion      3.1.x       OSX         Fusion 3.1.3 or later*

	 ESXi        5.0         ESXi        not affected
	 ESXi        4.1         ESXi        ESXi410-201104402-BG*
	 ESXi        4.0         ESXi        ESXi400-201104402-BG*
	 ESXi        3.5         ESXi        ESXe350-201105402-T-SG*

	 ESX         4.1         ESX         ESX410-201104401-SG*
	 ESX         4.0         ESX         ESX400-201104401-SG*
	 ESX         3.5         ESX         ESX350-201105406-SG*
	 ESX         3.0.3       ESX         not affected

  	 * After the update is applied VMware Guest Tools must be
	   updated in any pre-existing non-Windows guest operating
	   systems.

 d. VI Client ActiveX vulnerabilities

	 VI Client COM objects can be instantiated in Internet Explorer
	 which may cause memory corruption. An attacker who succeeded in
	 making the VI Client user visit a malicious Web site could
	 execute code on the user's system within the security context of
	 that user.

	 VMware would like to thank Elazar Broad and iDefense for
	 reporting this issue to us.

	 The Common Vulnerabilities and Exposures Project (cve.mitre.org)
	 has assigned the name CVE-2011-2217 to this issue.

	 Affected versions.

	 The vSphere Client which comes with vSphere 4.0 and vSphere 4.1
	 is not affected. This is any build of vSphere Client Version
	 4.0.0 and vSphere Client Version 4.1.0.

	 VI Clients bundled with VMware Infrastructure 3 that are not
	 affected are:
	 - VI Client 2.0.2 Build 230598 and higher
	 - VI Client 2.5 Build 204931 and higher

	 The issue can be remediated by replacing an affected VI Client
	 with the VI Client bundled with VirtualCenter 2.5 Update 6 or
	 VirtualCenter 2.5 Update 6a.

4. Solution
	Please review the patch/release notes for your product and version
	and verify the checksum of your downloaded file.

	VMware Workstation 7.1.4
	----------------------------
	http://www.vmware.com/go/downloadworkstation
	Release notes:
	http://downloads.vmware.com/support/ws71/doc/releasenotes_ws714.html

	VMware Workstation for Windows 32-bit and 64-bit with VMware Tools
	md5sum: b52d064dff3e9fb009e0637d59b79c44
	sha1sum: bf4fe9e901b45e59b33852c4612e90fb77223d64

	VMware Workstation for Linux 32-bit with VMware Tools
	md5sum: 5f5f25b1cfd8990e46db07788fe0adab
	sha1sum: d5b4bfe0d22079988a7777dcc0f87a16b494b5f9

	VMware Workstation for Linux 64-bit with VMware Tools
	md5sum: 68b424f836f63c12b071a791f80b1593
	sha1sum: a7d1f461830db022af8f9d872c980fc59a83c5d6

	VMware Fusion 3.1.3
	---------------------------
	http://www.vmware.com/go/downloadfusion
	Release notes:
	http://downloads.vmware.com/support/fusion3/doc/releasenotes_fusion_313.html

	VMware Fusion for Intel-based Macs
	md5sum: f35ac5c15354723468257d2a48dc4f76
	sha1sum: 3c849a62c45551fddb16eebf298cef7279d622a9

	VMware Player 3.1.4
	---------------------------
	http://www.vmware.com/go/downloadplayer
	Release notes:
	https://www.vmware.com/support/player31/doc/releasenotes_player314.html

	VMware Player 3.1.4 for 32-bit and 64-bit Windows
	md5sum: 29dd5fefe40af929dba40185eb6d4804
	sha1sum: ac00488dd9e412beea2366c167ceb87ed262054f

	VMware Player 3.1.4 for 32-bit Linux
	md5sum: 75a41b63836d19db34f5551846c8b11d
	sha1sum: 7350051c0fc781604d1d46bc24003434cbcd3b26

	VMware Player 3.1.4 for 64-bit Linux
	md5sum: a7fdadfb2af8d9f76571cd06f2439041
	sha1sum: 90031375a9c10d9a0a5e32be154c856693ad7526

	VMware ESXi 5.0
	---------------
	ESXi500-201112001

	Download link:
	https://hostupdate.vmware.com/software/VUM/OFFLINE/release-325-20111212-924952/ESXi500-201112001.zip
	md5sum: 107ec1cf6ee1d5d5cb8ea5c05b05cc10
	sha1sum: aff63c8a170508c8c0f21a60d1ea75ef1922096d
	http://kb.vmware.com/kb/2007673

	ESXi500-201112001 contains ESXi500-201112403-SG

	VMware ESXi 4.1
	---------------
        VMware ESXi 4.1 Update 2
        Download link:
     
	http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1
     
        Release Notes:
        https://www.vmware.com/support/pubs/vs_pages/vsp_pubs_esxi41_i_vc41.html
     
        File: VMware-VMvisor-Installer-4.1.0.update02-502767.x86_64.iso
        md5sum: 0aa78790a336c5fc6ba3d9807c98bfea
        sha1sum: 7eebd34ab5bdc81401ae20dcf59a8f8ae22086ce
     
        File: upgrade-from-esxi4.0-to-4.1-update02-502767.zip
        md5sum: 459d9142a885854ef0fa6edd8d6a5677
        sha1sum: 75978b6f0fc3b0ccc63babe6a65cfde6ec420d33
     
        File: upgrade-from-ESXi3.5-to-4.1_update02.502767.zip
        md5sum: 3047fac78a4aaa05cf9528d62fad9d73
        sha1sum: dc99b6ff352ace77d5513b4c6d8a2cb7e766a09f
     
        File: VMware-tools-linux-8.3.12-493255.iso
        md5sum: 63028f2bf605d26798ac24525a0e6208
        sha1sum: 95ca96eec7817da9d6e0c326ac44d8b050328932
     
        File: VMware-viclient-all-4.1.0-491557.exe
        md5sum: dafd31619ae66da65115ac3900697e3a
        sha1sum: 98be4d349c9a655621c068d105593be4a8e542ef
     
        VMware ESXi 4.1 Update 2 contains ESXi410-201110201-SG.

	ESXi410-201104001
	Download link:
	https://hostupdate.vmware.com/software/VUM/OFFLINE/release-276-20110420-682352/ESXi410-201104001.zip
	md5sum: 23bd026d6cbca718fe50ed1dd73cfe9d
	sha1sum: 82fa6da02a1f37430a15a659254426b3d3a62662
	http://kb.vmware.com/kb/1035111

	ESXi410-201104001 contains ESXi410-201104402-BG.
 	
	VMware ESX 4.1
	--------------
        VMware ESX 4.1 Update 2
        Download link:
     
	http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1
     
        Release Notes:
     
	http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html
        https://www.vmware.com/support/pubs/vum_pubs.html
     
        File: ESX-4.1.0-update02-502767.iso
        md5sum: 9a2b524446cbd756f0f1c7d8d88077f8
        sha1sum: 2824c0628c341357a180b3ab20eb2b7ef1bee61c
     
        File: pre-upgrade-from-esx4.0-to-4.1-502767.zip
        md5sum: 9060ad94d9d3bad7d4fa3e4af69a41cf
        sha1sum: 9b96ba630377946c42a8ce96f0b5745c56ca46b4
     
        File: upgrade-from-esx4.0-to-4.1-update02-502767.zip
        md5sum: 4b60f36ee89db8cb7e1243aa02cdb549
        sha1sum: 6b9168a1b01379dce7db9d79fd280509e16d013f
     
        File: VMware-tools-linux-8.3.12-493255.iso
        md5sum: 63028f2bf605d26798ac24525a0e6208
        sha1sum: 95ca96eec7817da9d6e0c326ac44d8b050328932
     
        File: VMware-viclient-all-4.1.0-491557.exe
        md5sum: dafd31619ae66da65115ac3900697e3a
        sha1sum: 98be4d349c9a655621c068d105593be4a8e542ef
     
        VMware ESX 4.1 Update 2 contains ESX410-201110225-SG.
     
        ESX410-201104001
	Download link:
	https://hostupdate.vmware.com/software/VUM/OFFLINE/release-275-20110420-062017/ESX410-201104001.zip
	md5sum: 757c3370ae63c75ef5b2178bd35a4ac3
	sha1sum: 95cfdc08e0988b4a0c0c3ea1a1acc1c661979888
	http://kb.vmware.com/kb/1035110

	ESX410-201104001 contains ESX410-201104401-SG.

	VMware ESXi 4.0
	---------------
	ESXi400-201110001
	Download link:
	https://hostupdate.vmware.com/software/VUM/OFFLINE/release-315-20111006-920880/ESXi400-201110001.zip
	md5sum: fd47b5e2b7ea1db79a2e0793d4c9d9d3
	sha1sum: 759d4fa6da6eb49f41def68e3bd66e80c9a7032b
	http://kb.vmware.com/kb/1036397

	ESXi400-201110001 contains ESXi400-201110401-SG

	ESXi400-201104001
	Download link:
	https://hostupdate.vmware.com/software/VUM/OFFLINE/release-278-20110424-080274/ESXi400-201104001.zip
	md5sum: 08216b7ba18988f608326e245ac27e98
	sha1sum: 508a04532f0af007ce7c9d7693371470ed8257f0
	http://kb.vmware.com/kb/1037261

	ESXi400-201104001 contains ESXi400-201104402-BG.

	VMware ESX 4.0
	--------------
	ESX400-201110001
	https://hostupdate.vmware.com/software/VUM/OFFLINE/release-314-20111006-398488/ESX400-201110001.zip
	md5sum: 0ce9cc285ea5c27142c9fdf273443d78
	sha1sum: fdb5482b2bf1e9c97f2814255676e3de74512399
	http://kb.vmware.com/kb/1036391

	ESX400-201110001 contains ESX400-201110410-SG.

	ESX400-201104001
	Download link:
	https://hostupdate.vmware.com/software/VUM/OFFLINE/release-277-20110424-816604/ESX400-201104001.zip
	md5sum: 1a305fbf6c751403e56ef4e33cabde06
	sha1sum: bc7577cb80e69fbe81e3e9272a182deb42987b3d
	http://kb.vmware.com/kb/1037260

	ESX400-201104001 contains ESX400-201104401-SG.

	VMware ESXi 3.5
	---------------
	ESXe350-201105401-O-SG
	Download link:
	http://download3.vmware.com/software/vi/ESXe350-201105401-O-SG.zip
	md5sum: 9bc9296cae1fbecf417f60941590fcb4
	sha1sum: d6902377f57e3b05b08c07a810d6b58fa30aa8d5
	http://kb.vmware.com/kb/1036403

	Note ESXe350-201105401-O-SG contains the following security fixes:
	ESXe350-201105402-T-SG and ESXe350-201105401-I-SG

	VMware ESX 3.5
	--------------
	ESX350-201105401-SG
	Download link:
	http://download3.vmware.com/software/vi/ESX350-201105401-SG.zip
	md5sum: 2853ca6e75ef5e856ec582151908ad93
	sha1sum: c538971d47af4b813348d87bf2f4fa6acd9292f7
	http://kb.vmware.com/kb/1036399

	ESX350-201105404-SG
	Download link:
	http://download3.vmware.com/software/vi/ESX350-201105404-SG.zip
	md5sum: 7403d4a06e2bdb9cdfb5590432f51bf8
	sha1sum: 1700d6175524680b982ca4430cff77b5f7cb15c4
	http://kb.vmware.com/kb/1036402

	ESX350-201105406-SG
	Download link:
	http://download3.vmware.com/software/vi/ESX350-201105406-SG.zip
	md5sum: 6c695f7d021f751959aec08fed94df11
	sha1sum: 83a862c469e7f3334e2a78f6b81d98c02108b708
	http://kb.vmware.com/kb/1036754

5. References

	CVE numbers
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4536
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1188
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3080
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2240
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2146
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1787
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2145
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2217

 ------------------------------------------------------------------------
6. Change log

   2011-06-02 VMSA-2011-0009
   Initial security advisory in conjunction with the release of ESX 3.5
   patches on 2011-06-02.

   2011-10-12 VMSA-2011-0009.1
   Updated security advisory after the release of ESX 4.0 patches on
   2011-10-12.

   2011-10-27 VMSA-2011-0009.2
   Updated security advisory with the release of Update 2 for vSphere
   Hypervisor (ESXi) 4.1 and ESX 4.1 on 2011-10-27.

   2011-12-15 VMSA-2011-0009.3
   Updated security advisory with the release of ESXi 5.0 patches on
   2011-12-15.

 ------------------------------------------------------------------------

7. Contact

	E-mail list for product security notifications and announcements:
	http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
	
	This Security Advisory is posted to the following lists:
	
	  * security-announce at lists.vmware.com
	  * bugtraq at securityfocus.com
	  * full-disclosure at lists.grok.org.uk
	
	E-mail:  security at vmware.com
	PGP key at: http://kb.vmware.com/kb/1055
	
	VMware Security Advisories
	http://www.vmware.com/security/advisories
	
	VMware security response policy
	http://www.vmware.com/support/policies/security_response.html
	
	General support life cycle policy
	http://www.vmware.com/support/policies/eos.html
	
	VMware Infrastructure support life cycle policy
	http://www.vmware.com/support/policies/eos_vi.html
	
	Copyright 2011 VMware Inc.  All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk7q2MEACgkQDEcm8Vbi9kPCDQCeO0fR7QXx2g8Wl9VMBRpNmsHQ
FxgAn1KUhefLs1G8fqYPPhx+fDhABTPH
=BxBR
-----END PGP SIGNATURE-----



More information about the Security-announce mailing list