| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <6699DCEC-2AAF-4DDF-A389-2C5CF54FA2D6@gmail.com> Date: Sat, 7 May 2011 12:49:16 -0400 From: J K <jk6983@...il.com> To: VMware Security Team <security@...are.com> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: VMSA-2011-0008 VMware vCenter Server and vSphere Client security vulnerabilities Hi... Quick question. As cloud virtualization becomes an increasingly popular trend now for enterprises companies and VMWare is sought after in most cases to supply the infrastructure, where does VMWare stand from a vulnerability standpoint when it comes to publicized attacks such as Guest Stealer and the vulnerabilities that Metasploit's VASTO module aims to take advantage of. What I hope to be the case is that VMWare has patched all of the exploits that would make a script-kiddies efforts a waste of time when launching Metasploit and throwing a bunch of exploits from the VASTO module against a VMWare environment. Forgive me if this is something that has already been discussed or the vulnerability has been plugged. I do intend on setting up ESXi in my own lab and running some of the VASTO modules, but I figured I would go to the source and bounce the question off a VMWare Security expert. VASTO guest_stealer Demonstration - just to name one particular payload. http://www.youtube.com/watch?v=b_5yg_xg6Y4 Thanks in advance for your time. J K On May 6, 2011, at 1:35 AM, VMware Security Team wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------ > VMware Security Advisory > > Advisory ID: VMSA-2011-0008 > Synopsis: VMware vCenter Server and vSphere Client security > vulnerabilities > Issue date: 2011-05-05 > Updated on: 2011-05-05 (initial release of advisory) > CVE numbers: CVE-2011-0426 CVE-2011-1788 CVE-2011-1789 > - ------------------------------------------------------------------------ > > 1. Summary > > VMware vCenter Server directory traversal and information disclosure > vulnerabilities. vSphere Client Installer is delivered through an > unsigned package. > > 2. Relevant releases > > vCenter Server 4.1 GA > vCenter Server 4.0 Update 2 and earlier > VirtualCenter 2.5 Update 6 and earlier > > ESXi 4.1 GA > ESXi 4.0 without patch ESXi400-201103402-SG > > ESX 4.1 GA > ESX 4.0 without patch ESX400-201103401-SG > > 3. Problem Description > > a. vCenter Server Directory Traversal vulnerability > > A directory traversal vulnerability allows an attacker to remotely > retrieve files from vCenter Server without authentication. In order > to exploit this vulnerability, the attacker will need to have access > to the network on which the vCenter Server host resides. > > In case vCenter Server is installed on Windows 2008 or > Windows 2008 R2, the security vulnerability is not present. > > The Common Vulnerabilities and Exposures project (cve.mitre.org) has > assigned the name CVE-2011-0426 to this issue. > > VMware Product Running Replace with/ > Product Version on Apply Patch > ============= ======== ======= ================= > vCenter 4.1 Windows Update 1 * > vCenter 4.0 Windows Update 3 * > VirtualCenter 2.5 Windows Update 6a > > hosted ** any any not affected > > ESXi any ESXi not affected > > ESX any ESX not affected > > * vCenter 4.1 and vCenter 4.0 installed on Windows 2008 or Windows > 2008 R2 is not affected > ** hosted products are VMware Workstation, Player, ACE, Fusion. > > b. vCenter Server SOAP ID disclosure > > The SOAP session ID can be retrieved by any user that is logged in > to vCenter Server. This might allow a local unprivileged user on > vCenter Server to elevate his or her privileges. > > VMware would like to thank Claudio Criscione for reporting this > issue to us. > > The Common Vulnerabilities and Exposures project (cve.mitre.org) > has assigned the name CVE-2011-1788 to this issue. > > VMware Product Running Replace with/ > Product Version on Apply Patch > ============= ======== ======= ================= > vCenter 4.1 Windows Update 1 > vCenter 4.0 Windows Update 3 > VirtualCenter 2.5 Windows not affected > > hosted * any any not affected > > ESXi any ESXi not affected > > ESX any ESX not affected > > * hosted products are VMware Workstation, Player, ACE, Fusion. > > c. vSphere Client Installer package not digitally signed > > The digitally signed vSphere Client installer is packaged in a > self-extracting installer package which is not digitally signed. As > a result, when you run the install package file to extract and start > installing, the vSphere Client installer may display a Windows > warning message stating that the publisher of the install package > cannot be verified. > The vSphere Client Installer package of the following product > versions is now digitally signed: > > vCenter Server 4.1 Update 1 > vCenter Server 4.0 Update 3 > > ESXi 4.1 Update 1 > ESXi 4.0 with patch ESXi400-201103402-SG > > ESX 4.1 Update 1 > ESX 4.0 with patch ESX400-201103401-SG > > An install or update of the vSphere Client from these releases will > not present a security warning from Windows. > Note: typically the vSphere Client will request an update if the > existing client is pointed at a newer version of vCenter or ESX. > > VMware Knowledge Base article 1021404 explains how the unsigned > install package can be obtained in an alternative, secure way for an > environment with VirtualCenter 2.5, ESXi/ESX 3.5 or ESX 3.0.3. > > VMware would like to thank Claudio Criscione for reporting this > issue to us. > > The Common Vulnerabilities and Exposures project (cve.mitre.org) > has assigned the name CVE-2011-1789 to this issue. > > 4. Solution > > Please review the patch/release notes for your product and version > and verify the checksum of your downloaded file. > > vCenter Server 4.1 Update 1 > --------------------------- > See VMSA-2011-0003 for details. > > vCenter Server 4.0 Update 3 > --------------------------- > http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_ > 0 > Release Notes: > http://www.vmware.com/support/vsphere4/doc/vsp_vc40_u3_rel_notes.html > File type: .iso > md5sum: b04780df75f70621d0c8794e8773a983 > sha1sum: a9f1398306158572ea1c3d202ed8c6ad922e0764 > > File type: .zip > md5sum: bc8179a639dcc6563d7dbf968095edc7 > sha1sum: 61b6dbb1bcf3aa74503e183317a00733b0253faa > VMware vSphere Client > File type: .exe > md5sum: 1b90081e422358c407ad9696c70c70f7 > sha1sum: 7ba9043421f8b529b0da08fa83458069ccac0fe9 > > VirtualCenter Server 2.5 Update 6a > ---------------------------------- > http://downloads.vmware.com/d/info/datacenter_downloads/vmware_infrastructu > re_3/3_5 > Release Notes: > http://downloads.vmware.com/support/vi3/doc/vi3_vc25u6_rel_notes.html > > File type: .iso > md5sum: de8c246cf136b382b13be1993ca6ca3f > sha1sum: e32ec136425b3fb77afa03d8e6666a6b096debbc > > File type: .zip > md5sum: 41bdc78ba9b06a1691635f1a79062f97 > sha1sum: 3db04c0da053c05fab15900e127a7b20c80ee8a5 > > ESXi 4.0 > -------- > ESXi400-201103001 > https://hostupdate.vmware.com/software/VUM/OFFLINE/release-274-20110303-677 > 367/ESXi400-201103001.zip > md5sum: a68ef31414573460cdadef4d81fb95d0 > sha1sum: 7155e60962b21b5c295a2e9412ac4a445382db31 > http://kb.vmware.com/kb/1032823 > > ESXi400-201103001 contains ESXi400-201103402-SG > > ESX 4.0 > ------- > ESX400-201103001 > Download link: > https://hostupdate.vmware.com/software/VUM/OFFLINE/release-273-20110303-574 > 144/ESX400-201103001.zip > md5sum: 5b9a0cfe6c0ff1467c09c8d115910ff8 > sha1sum: 8bfb5df8066a01704eaa24e4d8a34f371816904b > http://kb.vmware.com/kb/1032822 > > ESX400-201103001 contains ESX400-201103401-SG > > > 5. References > > CVE numbers > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0426 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1788 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1789 > VMware KB 1021404 > http://kb.vmware.com/kb/1021404 > > VMSA-2011-0003 > http://www.vmware.com/security/advisories/VMSA-2011-0003.html > > - ------------------------------------------------------------------------ > 6. Change log > > 2011-05-05 VMSA-2011-0008 > Initial security advisory in conjunction with the release of vCenter > Server 4.0 Update 3 and VirtualCenter 2.5 Update 6a on 2011-05-05. > > - ------------------------------------------------------------------------ > > 7. Contact > > E-mail list for product security notifications and announcements: > http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce > > This Security Advisory is posted to the following lists: > > * security-announce at lists.vmware.com > * bugtraq at securityfocus.com > * full-disclosure at lists.grok.org.uk > > E-mail: security at vmware.com > PGP key at: http://kb.vmware.com/kb/1055 > > VMware Security Advisories > http://www.vmware.com/security/advisories > > VMware security response policy > http://www.vmware.com/support/policies/security_response.html > > General support life cycle policy > http://www.vmware.com/support/policies/eos.html > > VMware Infrastructure support life cycle policy > http://www.vmware.com/support/policies/eos_vi.html > > Copyright 2011 VMware Inc. All rights reserved. > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.3 (Build 4028) > Charset: utf-8 > > wj8DBQFNw4h7DEcm8Vbi9kMRAvcJAKDDgU8WJ6Psfk/un1C89HEK1FFO8QCeMosW > trHGAda4O8F290WlmFH8idI= > =kiJZ > -----END PGP SIGNATURE----- > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists