[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4FA2A854.1050408@vmware.com>
Date: Thu, 03 May 2012 08:46:28 -0700
From: VMware Security Team <security@...are.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: VMSA-2012-0009 VMware Workstation, Player,
ESXi and ESX patches address critical security issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
-----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2012-0009
Synopsis: VMware Workstation, Player, ESXi and ESX patches address
critical security issues
Issue date: 2012-05-03
Updated on: 2012-05-03 (initial advisory)
CVE numbers: CVE-2012-1516, CVE-2012-1517, CVE-2012-2448, CVE-2012-2449,
CVE-2012-2450
-----------------------------------------------------------------------
1. Summary
VMware Workstation, Player, ESXi and ESX patches address critical
security issues
2. Relevant releases
Workstation 8.0.2
Player 4.0.2
Fusion 4.1.2
ESXi 5.0 without patch ESXi500-201205401-SG
ESXi 4.1 without patches ESXi410-201205401-SG, ESXi410-201110201-SG,
ESXi410-201201401-SG
ESXi 4.0 without patches ESXi400-201105201-UG, ESXi400-201205401-SG
ESXi 3.5 without patch ESXe350-201205401-I-SG
ESX 4.1 without patches ESX410-201205401-SG, ESX410-201110201-SG,
ESX410-201201401-SG
ESX 4.0 without patches ESX400-201105201-UG, ESX400-201205401-SG
ESX 3.5 without patch ESX350-201205401-SG
3. Problem Description
a. VMware host memory overwrite vulnerability (data pointers)
Due to a flaw in the handler function for RPC commands, it is
possible to manipulate data pointers within the VMX process.
This vulnerability may allow a guest user to crash the VMX
process or potentially execute code on the host.
Workaround
- Configure virtual machines to use less than 4 GB of memory.
Virtual machines that have less than 4GB of memory are
not affected.
Mitigation
- Do not allow untrusted users access to your virtual machines.
Root or Administrator level permissions are not required to
exploit this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-1516 to this issue.
VMware would like to thank Derek Soeder of Ridgeway Internet
Security, L.L.C. for reporting this issue to us.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
Workstation 8.x any not affected
Player 4.x any not affected
Fusion 4.x Mac OS/X not affected
ESXi 5.0 ESXi not affected
ESXi 4.1 ESXi ESXi410-201110201-SG
ESXi 4.0 ESXi ESXi400-201105201-UG
ESXi 3.5 ESXi ESXe350-201205401-I-SG
ESX 4.1 ESX ESX410-201110201-SG
ESX 4.0 ESX ESX400-201105201-UG
ESX 3.5 ESX ESX350-201205401-SG
b. VMware host memory overwrite vulnerability (function pointers)
Due to a flaw in the handler function for RPC commands, it is
possible to manipulate function pointers within the VMX process.
This vulnerability may allow a guest user to crash the VMX
process or potentially execute code on the host.
Workaround
- None identified
Mitigation
- Do not allow untrusted users access to your virtual machines.
Root or Administrator level permissions are not required to
exploit this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-1517 to this issue.
VMware would like to thank Derek Soeder of Ridgeway Internet
Security, L.L.C. for reporting this issue to us.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
Workstation 8.x any not affected
Player 4.x any not affected
Fusion 4.x Mac OS/X not affected
ESXi 5.0 ESXi not affected
ESXi 4.1 ESXi ESXi410-201201401-SG
ESXi 4.0 ESXi not affected
ESXi 3.5 ESXi not affected
ESX 4.1 ESX ESX410-201201401-SG
ESX 4.0 ESX not affected
ESX 3.5 ESX not affected
c. ESX NFS traffic parsing vulnerability
Due to a flaw in the handling of NFS traffic, it is possible to
overwrite memory. This vulnerability may allow a user with access to
the network to execute code on the ESXi/ESX host without
authentication. The issue is not present in cases where there is no
NFS traffic.
Workaround
- None identified
Mitigation
- Connect only to trusted NFS servers
- Segregate the NFS network
- Harden your NFS server
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-2448 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
Workstation 8.x any not affected
Player 4.x any not affected
Fusion 4.x Mac OS/X not affected
ESXi 5.0 ESXi ESXi500-201205401-SG
ESXi 4.1 ESXi ESXi410-201205401-SG
ESXi 4.0 ESXi ESXi400-201205401-SG
ESXi 3.5 ESXi ESXe350-201205401-I-SG
ESX 4.1 ESX ESX410-201205401-SG
ESX 4.0 ESX ESX400-201205401-SG
ESX 3.5 ESX ESX350-201205401-SG
d. VMware floppy device out-of-bounds memory write
Due to a flaw in the virtual floppy configuration it is possible
to perform an out-of-bounds memory write. This vulnerability may allow
a
guest user to crash the VMX process or potentially execute code
on the host.
Workaround
- Remove the virtual floppy drive from the list of virtual IO
devices. The VMware hardening guides recommend removing unused
virtual IO devices in general.
Mitigation
- Do not allow untrusted root users in your virtual machines. Root or
Administrator level permissions are required to exploit this
issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-2449 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
Workstation 8.x any 8.0.3 or later
Player 4.x any 4.0.3 or later
Fusion 4.x Mac OS/X patch pending **
ESXi 5.0 ESXi ESXi500-201205401-SG
ESXi 4.1 ESXi ESXi410-201205401-SG
ESXi 4.0 ESXi ESXi400-201205401-SG
ESXi 3.5 ESXi ESXe350-201205401-I-SG
ESX 4.1 ESX ESX410-201205401-SG
ESX 4.0 ESX ESX400-201205401-SG
ESX 3.5 ESX ESX350-201205401-SG
** A workaround for the issue is listed above.
e. VMware SCSI device unchecked memory write
Due to a flaw in the SCSI device registration it is possible
to perform an unchecked write into memory. This vulnerability may
allow a guest user to crash the VMX process or potentially execute
code on the host.
Workaround
- Remove the virtual SCSI controller from the list of virtual IO
devices. The VMware hardening guides recommend removing unused
virtual IO devices in general.
Mitigation
- Do not allow untrusted root users access to your virtual machines.
Root or Administrator level permissions are required to exploit
this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-2450 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter any Windows not affected
Workstation 8.x any 8.0.3 or later
Player 4.x any 4.0.3 or later
Fusion 4.x Mac OS/X 4.1.2 or later
ESXi 5.0 ESXi ESXi500-201205401-SG
ESXi 4.1 ESXi ESXi410-201205401-SG
ESXi 4.0 ESXi ESXi400-201205401-SG
ESXi 3.5 ESXi ESXe350-201205401-I-SG
ESX 4.1 ESX ESX410-201205401-SG
ESX 4.0 ESX ESX400-201205401-SG
ESX 3.5 ESX ESX350-201205401-SG
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
Workstation 8.0.3
-----------------
http://www.vmware.com/go/downloadworkstation
Release notes:
https://www.vmware.com/support/ws80/doc/releasenotes_workstation_803.html
VMware Workstation for Windows 32-bit and 64-bit with VMware Tools
md5sum: c8cabe876ab629f27e47cea02f0d4def
sha1sum: 815c2b2b9b0e5fd089ed19da15a272671eb405bd
VMware Workstation for Linux 32-bit with VMware Tools
md5sum: 968c0785ddb96058e808117730d7c3ad
sha1sum: 08ac903c012ef887bf45b3f9f83a4d3200fe25d1
VMware Workstation for Linux 64-bit with VMware Tools
md5sum: aa9ce2d953f21f9d902de00ffd2fcb5c
sha1sum: b8d189b6717d49abc49401fc4ad50b187ff2e813
Player 4.0.3
------------
http://www.vmware.com/go/downloadplayer
Release notes:
https://www.vmware.com/support/player40/doc/releasenotes_player403.html
VMware Player for Windows 32-bit and 64-bit
md5sum: f2259a257a5099cdce5e1ce76512f599
sha1sum: 96badcaac81e1dfeaaac49d1a5bb6b1e13956266
VMware Player for Linux 32-bit
md5sum: 4012e897a77a1c69dd18fbcdde6cf269
sha1sum: 1c00cde50dc6c651393c85db6449010cf552c3eb
VMware Player for Linux 64-bit
md5sum: 857edd0695b3b31713f9ea1b0a65f2b6
sha1sum: 83c4365f4b43713e8cee13998c394331990a0fd3
ESXi and ESX
------------
http://downloads.vmware.com/go/selfsupport-download
Note: In case multiple patches are listed below, the most
recent patch is listed on top. The most recent patch includes
fixes for the issues that are addressed in the older patches.
ESXi 5.0
--------
ESXi500-201205001
md5sum: 4a1de58656980271d79a32107cba75cf
sha1sum: 5f23b318df3476002877c37f2970093dc2217d75
http://kb.vmware.com/kb/2019857
ESXi500-201205001 contains ESXi500-201205401-SG
ESXi 4.1
--------
ESXi410-201205001
md5sum: 5a37d83fc2a96483c94b3087387b3e9c
sha1sum: 9999f578163ffc9ada809e985a6e5d42b83e2be6
http://kb.vmware.com/kb/2019860
ESXi410-201205001 contains ESXi410-201205401-SG
ESXi410-201201001
md5sum: bdf86f10a973346e26c9c2cd4c424e88
sha1sum: cc0b92869a9aae4f5e0e5b81bee109bcd7da780f
http://kb.vmware.com/kb/2009137
ESXi410-201201001 contains ESXi410-201201401-SG
update-from-esxi4.1-4.1_update02
md5sum:57e34b500ce543d778f230da1d44e412
sha1sum:52f4378e2f1a29c908493182ccbde91d58b4112f
http://kb.vmware.com/kb/2002338
update-from-esxi4.1-4.1_update02 contains ESXi410-201110201-SG
ESXi 4.0
--------
ESXi400-201205001
md5sum: 96808908b8ff82460a6cbd9b4c501dd4
sha1sum: df0256c4ff71f4e7af507e956a496390c7a84597
http://kb.vmware.com/kb/2019855
ESXi400-201205001 contains ESXi400-201205401-SG
update-from-esxi4.0-4.0_update03
md5sum: 01bb395825b55b21ec5ea9a5e2ec2c4b
sha1sum: ca49bbf154278568a71caf1a5288ac9239dfaf7f
http://kb.vmware.com/kb/1031736
update-from-esxi4.0-4.0_update03 contains ESXi400-201105201-UG
ESXi 3.5
--------
ESXe350-201205401-O-SG
md5sum: e2f017e7ef9a1c0ed5e70dbc97ec62d3
sha1sum: 8dab4731acd4e257cc1701aa0a88373727a9e3ae
http://kb.vmware.com/kb/2019538
ESXe350-201205401-O-SG contains ESXe350-201205401-I-SG
ESX 4.1
-------
ESX410-201205001
md5sum: 0445d053cacee38338b6cc57efae093b
sha1sum: 40720a3be86dd3c9e0bed29c95e0f0a4e34e4cce
http://kb.vmware.com/kb/2019859
ESX410-201205001 contains ESX410-201205401-SG
ESX410-201201001
md5sum: 16df9acd3e74bcabc2494bc23ad0927f
sha1sum: 1066ae1436e1a75ba3d541ab65296cfb9ab7a5cc
http://kb.vmware.com/kb/2009080
ESX410-201201001 contains ESX410-201201401-SG
ESX 4.0
-------
ESX400-201205001
md5sum: ff0451d353916cc5aebdabf15f4941cc
sha1sum: 8485bc41f23e214940e2b618958293ef74eb425f
http://kb.vmware.com/kb/2019853
ESX400-201205001 contains ESX400-201205401-SG
update-from-esx4.0-4.0_update03
md5sum: 329b08d80d56b0965b84251c552970ba
sha1sum: 2e7285d0cbfd666ab9d745a76f639eccb55c1b2a
http://kb.vmware.com/kb/1031732
update-from-esx4.0-4.0_update03 contains ESX400-201105201-UG
ESX 3.5
-------
ESX350-201205401-SG
md5sum: e7d519fccf34a9bd9ff73cbef9247e31
sha1sum: b5a1a50bf116fb900768a8882bc77adb93b3a182
http://kb.vmware.com/kb/2019535
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1516
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2450
-----------------------------------------------------------------------
6. Change log
2012-05-03 VMSA-2012-0009
Initial security advisory in conjunction with the release of
Workstation 8.0.3, Player 4.0.3 and patches for ESXi and ESX 3.5,
4.0, 4.1 and 5.0 on 2012-05-03.
-----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2012 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFPoqeMDEcm8Vbi9kMRArVAAJ4/gq2fVUj0y5hP0Bwt3tNkqpGwGQCfac1V
xkgqRXKeGCKRbmMR8blc8zQ=
=HLeh
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists