lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4C3BF9C6.3060306@vmware.com>
Date: Mon, 12 Jul 2010 22:29:42 -0700
From: VMware Security Team <security@...are.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: VMSA-2010-0011 VMware Studio 2.1 addresses
 security vulnerabilities in virtual appliances created with Studio 2.0.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2010-0011
Synopsis:          VMware Studio 2.1 addresses security vulnerabilities
                   in virtual appliances created with Studio 2.0.
Issue date:        2010-07-13
Updated on:        2010-07-13 (initial release of advisory)
CVE numbers:       CVE-2010-2427 CVE-2010-2667
- ------------------------------------------------------------------------

1. Summary

    VMware Studio 2.1 addresses security vulnerabilities in virtual
    appliances created with Studio 2.0.

2. Relevant releases

    VMware Studio 2.0

    Note: virtual appliances created with VMware Studio 2.0 may be
    affected

3. Problem Description

 a. VMware Studio 2.0 remote command execution by Studio user

    VMware Studio is a development tool to create and manage virtual
    appliances. VMware Studio itself is a virtual appliance.

    A vulnerability in the Virtual Appliance Management Infrastructure
    (VAMI) allows for remote command execution in Studio 2.0 or in
    virtual appliances created with Studio 2.0. Exploitation of the
    issue requires authentication to Studio or to the virtual appliance.

    Studio 2.0
    ----------
    The vulnerability may be exploited on Studio if both of these
    conditions apply:
    - you have Studio 2.0
    and
    - you have created a user account with limited privileges (this is
      not the default configuration).

    Studio is by default shipped with the root user account and no other
    user accounts. For this reason, exploitation of the vulnerability
    would not yield any gain for an attacker since the attacker would
    need to know the credentials of the root user account in order to
    launch an attack. If an attacker knows the credentials of the root
    user, the attacker will have other avenues to compromise Studio.

    In case another user account with limited privileges has been added
    to Studio, the exploitation of the issue may lead to remote command
    execution by the attacker. The attacker would still need to know
    the credentials of the additional user account in order to launch an
    attack.

    Virtual appliances created with Studio 2.0
    ------------------------------------------
    The vulnerability may be exploited on a virtual appliance if both of
    these conditions apply:
    - the virtual appliance was created with Studio 2.0
    and
    - the virtual appliance has a user account with limited privileges.

    The following command will show which version of Studio was used to
    create the virtual appliance:
       "vamicli version --studio"

    If the issue can be exploited, the following will remove this
    possibility:
    - disable user accounts that have limited privileges
    or
    - disable the vami-sfcbd daemon (note: this will prevent the use of
      VAMI features such as using the web interface to set the network
      configuration)
    or
    - recreate the virtual appliance using Studio 2.1.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2010-2667 to this issue.

    VMware would like to thank Claudio Criscione of Secure Network for
    reporting this issue to us.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.  

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VMware Studio  1.0       VMware   not affected
    VMware Studio  2.0       VMware   not affected (default conf.) *
    VMware Studio  2.1       VMware   not affected

    VMware Studio
    plug-in for
    Eclipse        any       Eclipse  not affected

   * The default configuration of Studio 2.0 is not affected, see above
     for details. Virtual appliances created with Studio 2.0 may be
     affected, see above for details.


 b. VMware Studio 2.0 local privilege escalation vulnerability

    VMware Studio is a development tool to create and manage virtual
    appliances. VMware Studio itself is a virtual appliance.

    A vulnerability in the way temporary files are written may lead
    to a privilege escalation in Studio 2.0. Exploitation of the issue
    requires authentication to the system running Studio. Virtual
    appliances created with Studio 2.0 are not affected.

    Studio is by default shipped with the root user account and no other
    user accounts. For this reason, exploitation of the vulnerability
    would not yield any gain for an attacker since the attacker would
    need to know the credentials of the root user account in order to
    launch an attack. If an attacker knows the credentials of the root
    user, the attacker will have other avenues to compromise Studio.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2010-2427 to this issue.

    VMware would like to thank Claudio Criscione of Secure Network for
    reporting this issue to us.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.  

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VMware Studio  1.0       VMware   not affected
    VMware Studio  2.0       VMware   not affected (default conf.) *
    VMware Studio  2.1       VMware   not affected
    VMware Studio
    plug-in for
    Eclipse        any       Eclipse  not affected

   * The default configuration of Studio 2.0 is not affected, see above
     for details. Virtual appliances created with Studio are not
     affected.


4. Solution

    Please review the patch/release notes for your product and version
    and verify the md5sum or sha1sum of your downloaded file.

    VMware Studio 2.1 build 1318-268792
    -----------------------------------
    http://www.vmware.com/support/developer/studio/
    Release notes:
   
http://www.vmware.com/support/developer/studio/studio21/release_notes.html
   
    Following downloads are available from
    http://www.vmware.com/downloads/download.do?downloadGroup=STUDIO21GA
   
    VMware Studio appliance in ZIP
    md5sum:b8555e11412da3b9ab4a8a663069380b
    sha1sum:ec53078d40bb2abaa207ba62ee893a0502dc861b

    VMware Studio appliance in OVA
    md5sum:9bff9cfd011245278063c8821981519a
    sha1sum:163e13587a1a80582970bc02fac98e93df99fdc7

    VMware Studio appliance in OVF 1.0
    md5sum:f7269080b987aac2982ca50df22f4cc9
    sha1sum:d579a72d8bf3f04711816e01d83b999b8b2105ce

    VMware Studio appliance in OVF 0.9
    md5sum:3388ea758d7f47c51277efad77900a69
    sha1sum:0a11225b448085c82909892ba1ff3d3310ad55a5

    VMDK associated with the OVF 1.0 and OVF 0.9 descriptor
    md5sum:8bc772e36155e2917fa0f1ca63de6759
    sha1sum:ca7e77b87c7b2c03a32515da4091e19bb5c1c8a7

    VMware Studio Plugin for Eclipse in ZIP
    md5sum:d260c26e9ede41e6412407d0089495e9
    sha1sum:648812be742968dc8b0e54d3de4d6a90d2f3e17f

5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2427
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2667

- ------------------------------------------------------------------------
6. Change log

2010-07-13  VMSA-2010-0011
Initial security advisory after release of Studio 2.1 on 2010-07-13.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFMO/mBS2KysvBH1xkRAuk8AJ47bVVbirFHy9YV7tlkEjBnqoFn/ACfXbmH
MpvA3yOeQCEdX/rTqVFF+zY=
=Wn5B
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ