lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2035220539.101367076.1386125460896.JavaMail.root@vmware.com>
Date: Tue, 3 Dec 2013 18:51:00 -0800 (PST)
From: "\"VMware Security Response Center\"" <security@...are.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: NEW VMSA-2013-0014 VMware Workstation, Fusion,
 ESXi and ESX patches address a guest privilege escalation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2013-0014
Synopsis:    VMware Workstation, Fusion, ESXi and ESX patches 
             address a guest privilege escalation
Issue date:  2013-12-03
Updated on:  2013-12-03 (initial advisory)
CVE number:  CVE-2013-3519
- -----------------------------------------------------------------------

1. Summary

    VMware Workstation, Fusion, ESXi and ESX patches address a 
    vulnerability in the LGTOSYNC.SYS driver which could result in a
    privilege escalation on older Windows-based Guest Operating Systems.

2. Relevant releases

    VMware Workstation 9.x prior to version 9.0.3 
    
    VMware Player 5.x prior to version 5.0.3

    VMware Fusion 5.x prior to version 5.0.4

    VMware ESXi 5.1 without patch ESXi510-201304102
    VMware ESXi 5.0 without patch ESXi500-201303102
    VMware ESXi 4.1 without patch ESXi410-201301402
    VMware ESXi 4.0 without patch ESXi400-201305401

    VMware ESX 4.1 without patch ESX410-201301401
    VMware ESX 4.0 without patch ESX400-201305401


3. Problem Description

   a. VMware LGTOSYNC privilege escalation.

      VMware ESX, Workstation and Fusion contain a vulnerability 
      in the handling of control code in lgtosync.sys. A local 
      malicious user may exploit this vulnerability to manipulate the 
      memory allocation. This could result in a privilege 
      escalation on 32-bit Guest Operating Systems running Windows 2000
      Server, Windows XP or Windows 2003 Server on ESXi and ESX; or 
      Windows XP on Workstation and Fusion.

      The vulnerability does not allow for privilege escalation
      from the Guest Operating System to the host. This means 
      that host memory can not be manipulated from the Guest 
      Operating System.

      VMware would like to thank Derek Soeder of Cylance, Inc. for 
      reporting this issue to us. 

      The Common Vulnerabilityies and Exposures project (cve.mitre.org)
      has assigned the name CVE-2013-3519 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product   Running   Replace with/
        Product         Version   on        Apply Patch*
        =============   =======   =======   =================
        Workstation     10.x      any       not affected
        Workstation     9.x       any       9.0.3 or later

        Player          6.x       Windows   not affected
        Player          5.x       Windows   5.0.3 or later

        Fusion          6.x       Mac OS/X  not affected
        Fusion          5.x       Mac OS/X  5.0.4 or later


        ESXi            5.5       ESXi      not affected
        ESXi            5.1       ESXi      ESXi510-201304102-SG
        ESXi            5.0       ESXi      ESXi500-201303102-SG
        ESXi            4.1       ESXi      ESXi410-201301402-SG
        ESXi            4.0       ESXi      ESXi400-201305401-SG

        ESX             4.1       ESX       ESX410-201301401-SG
        ESX             4.0       ESX       ESX400-201305401-SG

      * Notes on updating VMware Guest Tools: 

      After the update or patch is applied, VMware Guest Tools must
      be updated in any pre-existing Windows-based Guest Operating 
      System followed by a reboot of the guest system.

 4. Solution

      Please review the patch/release notes for your product and version 
      and verify the checksum of your downloaded file. 

      VMware Workstation  
      --------------------------- 
      https://www.vmware.com/go/downloadworkstation 

      VMware Player 
      --------------------------- 
      https://www.vmware.com/go/downloadplayer 
      
      VMware Fusion
      --------------------------- 
      https://www.vmware.com/go/downloadfusion

      ESXi and ESX 
      --------------------------- 
      https://my.vmware.com/web/vmware/downloads 

      ESXi 5.1 
      --------------------------- 
      File: update-from-esxi5.1-5.1_update01.zip 
      md5sum: 28b8026bcfbe3cd1817509759d4b61d6 
      sha1sum: 9d3124d3c5efa6d0c3b9ba06511243fc6e205542 
      http://kb.vmware.com/kb/2041632 
      update-from-esxi5.1-5.1_update01.zip contains ESXi510-201304102-SG 

      ESXi 5.0
      --------------------------- 
      File: ESXi500-201303001.zip 
      md5sum: c62470c48e81da84891c79d5533c8e91 
      sha1sum: 69fe8933888d2a6c4e53cfe822441c963bdcd2c7 
      http://kb.vmware.com/kb/2044373
      ESXi500-201303001.zip contains ESXi500-201303102-SG

      ESXi 4.1 
      --------------------------- 
      File: ESXi410-201301001.zip 
      md5sum: 2fce8e96048b5f80354e90a1b9e7776c
      sha1sum: d38283afafe7e27fc64f11cf780e0f1577f98c6c 
      http://kb.vmware.com/kb/2041332 
      ESXi410-201301001 contains ESXi410-201301402-SG 

      ESXi 4.0 
      --------------------------- 
      File: ESXi400-201305001.zip 
      md5sum: 065d3fa4b0f52dd38c2bd92e5bfc5580      
      sha1sum: 1f3cab25a144746372d86071a47e569c439e276a
      http://kb.vmware.com/kb/2044241
      ESXi400-201305001 contains ESXi400-201305401-SG

      ESX 4.1 
      ---------------------------
      File: ESX410-201301001.zip 
      md5sum: a8685fff822d6fd2d112db20f223d8fd 
      sha1sum: 4f5e6d0d11c5666bcf7488b0a970e052c77c73f0
      http://kb.vmware.com/kb/2041331 
      ESX410-201301001 contains ESX410-201301401-SG

      ESX 4.0 
      ---------------------------
      File: ESX400-201305001.zip 
      md5sum: c9ac91d3d803c7b7cb9df401c20b91c0
      sha1sum: 7f5cef274c709248daa56d8c0e6fcc1ba86ae411      
      http://kb.vmware.com/kb/2044240
      ESX400-201305001 contains ESX400-201305401-SG
      
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3519


- -----------------------------------------------------------------------

6. Change log

   2013-12-03 VMSA-2013-0014
   Initial security advisory in conjunction with the release of VMware 
   Fusion 5.0.4 on 2013-12-03.

- -----------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
   
   This Security Advisory is posted to the following lists:
   
     * security-announce at lists.vmware.com
     * bugtraq at securityfocus.com
     * full-disclosure at lists.grok.org.uk
   
   E-mail:  security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055
   
   VMware Security Advisories
   http://www.vmware.com/security/advisories
   
   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html
   
   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html
   
   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html
   
   Copyright 2013 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFSnpfaDEcm8Vbi9kMRAvhvAJ4vKNwcyVCmSwFvEUydhpXmZLL/wACeKydO
UwwY8FYofaHjTAcTMeVZlhA=
=pm8w
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ