<<< Date Index >>>     <<< Thread Index >>>

VMware ESX server security updates



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2007-0001
Synopsis:          VMware ESX server security updates
Issue date:        2007-01-09
Updated on:        2007-01-09
CVE:               CVE-2006-3589 CVE-2006-2937 CVE-2006-2940
                   CVE-2006-3738 CVE-2006-4339 CVE-2006-4343
                   CVE-2006-4980
- -------------------------------------------------------------------

1. Summary:

Updated ESX Patches address several security issues.

2. Relevant releases:

VMware ESX 3.0.1 without patch ESX-9986131
VMware ESX 3.0.0 without patch ESX-3069097

VMware ESX 2.5.4 prior to upgrade patch 3
VMware ESX 2.5.3 prior to upgrade patch 6
VMware ESX 2.1.3 prior to upgrade patch 4
VMware ESX 2.0.2 prior to upgrade patch 4

3. Problem description:

Problems addressed by these patches:

a. Incorrect permissions on SSL key files generated  by vmware-config
(CVE-2006-3589):

    ESX 3.0.1: does not have this problem
    ESX 3.0.0: does not have this problem
    ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 3 (Build# 36502)
    ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 6 (Build# 35703)
    ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 4 (Build# 35803)
    ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 4 (Build# 35801)

    A possible security issue with the configuration program
    vmware-config which could set incorrect permissions on SSL key
    files. Local users may be able to obtain access to the SSL key
    files. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) assigned the name CVE-2006-3589 to this issue.

b. OpenSSL library vulnerabilities:

    ESX 3.0.1: corrected by ESX 3.0.1 Patch ESX-9986131
    ESX 3.0.0: corrected by ESX 3.0.0 Patch ESX-3069097
    ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 3 (Build# 36502)
    ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 6 (Build# 35703)
    ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 4 (Build# 35803)
    ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 4 (Build# 35801)

    (CVE-2006-2937) OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d
    allows remote attackers to cause a denial of service (infinite
    loop and memory consumption) via malformed ASN.1 structures that
    trigger an improperly handled error condition.

    (CVE-2006-2940) OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d,
    and earlier versions allows attackers to cause a denial of service
    (CPU consumption) via parasitic public keys with large (1) "public
    exponent" or (2) "public modulus" values in X.509 certificates that
    require extra time to process when using RSA signature verification.

    (CVE-2006-4339) OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8
    before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1
    padding before generating a hash, which allows remote attackers to
    forge a PKCS #1 v1.5 signature that is signed by that RSA key and
    prevents OpenSSL from correctly verifying X.509 and other
    certificates that use PKCS #1.

    (CVE-2006-4343) The get_server_hello function in the SSLv2 client
    code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and
    earlier versions allows remote servers to cause a denial of service
    (client crash) via unknown vectors that trigger a null pointer
    dereference.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    assigned the names CVE-2006-2937, CVE-2006-2940, CVE-2006-3738,
    CVE-2006-4339, and CVE-2006-4343 to these issues.

c. Updated OpenSSH package addresses the following possible security issues:

    ESX 3.0.1: corrected by Patch ESX-9986131
    ESX 3.0.0: corrected by Patch ESX-3069097
    ESX 2.5.4: does not have these problems
    ESX 2.5.3: does not have these problems
    ESX 2.1.3: does not have these problems
    ESX 2.0.2: does not have these problems

    (CVE-2004-2069) sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly
    other versions, when using privilege separation, does not properly
    signal the non-privileged process when a session has been terminated
    after exceeding the LoginGraceTime setting, which leaves the
    connection open and allows remote attackers to cause a denial of
    service (connection consumption).

    (CVE-2006-0225) scp in OpenSSH 4.2p1 allows attackers to execute
    arbitrary commands via filenames that contain shell metacharacters
    or spaces, which are expanded twice.

    (CVE-2003-0386) OpenSSH 3.6.1 and earlier, when restricting host
    access by numeric IP addresses and with VerifyReverseMapping
    disabled, allows remote attackers to bypass "from=" and "user@host"
    address restrictions by connecting to a host from a system whose
    reverse DNS hostname contains the numeric IP address.

    (CVE-2006-4924) sshd in OpenSSH before 4.4, when using the version 1
    SSH protocol, allows remote attackers to cause a denial of service
    (CPU consumption) via an SSH packet that contains duplicate blocks,
    which is not properly handled by the CRC compensation attack
    detector.

    NOTE: ESX by default disables version 1 SSH protocol.

    (CVE-2006-5051) Signal handler race condition in OpenSSH before 4.4
    allows remote attackers to cause a denial of service (crash), and
    possibly execute arbitrary code if GSSAPI authentication is enabled,
    via unspecified vectors that lead to a double-free.

    NOTE: ESX doesn't use GSSAPI by default.

    (CVE-2006-5794) Unspecified vulnerability in the sshd Privilege
    Separation Monitor in OpenSSH before 4.5 causes weaker verification
    that authentication has been successful, which might allow attackers
    to bypass authentication.

    NOTE: as of 20061108, it is believed that this issue is only
    exploitable by leveraging vulnerabilities in the unprivileged
    process, which are not known to exist.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    assigned the names CVE-2004-2069, CVE-2006-0225, CVE-2003-0386,
    CVE-2006-4924, CVE-2006-5051, and CVE-2006-5794 to these issues.

d. Object reuse problems with newly created virtual disk (.vmdk or .dsk)
files:

    ESX 3.0.1: does not have this problem
    ESX 3.0.0: does not have this problem
    ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 3 (Build# 36502)
    ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 6 (Build# 35703)
    ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 4 (Build# 35803)
    ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 4 (Build# 35801)

    A possible security issue with virtual disk (.vmdk or .dsk) files
    that are newly created, but contain blocks from recently deleted
    virtual disk files.  Information belonging to the previously
    deleted virtual disk files could be revealed in newly created
    virtual disk files.

    VMware recommends the following workaround: When creating new
    virtual machines on an ESX Server that may contain sensitive
    data, use vmkfstools with the -W option. This initializes the
    virtual disk with zeros.

e. Buffer overflow in Python function repr():

    ESX 3.0.1: corrected by Patch ESX-9986131
    ESX 3.0.0: corrected by ESX-3069097
    ESX 2.5.4: does not have this problem
    ESX 2.5.3: does not have this problem
    ESX 2.1.3: does not have this problem
    ESX 2.0.2: does not have this problem

    A possible security issue with how the Python function repr()
    function handles UTF-32/UCS-4 strings. Python applications
    using this function can open a security vulnerability that could
    allow the execution of arbitrary code.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    assigned the name CVE-2006-4980 to this issue.

4. Solution:

Please review the Patch notes for your version of ESX and verify the md5sum.

  ESX 3.0.1
  http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
  md5usm: 239375e107fd4c7af57663f023863fcb

  ESX 3.0.0
  http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
  md5sum: ca9947239fffda708f2c94f519df33dc

  ESX 2.5.4
  http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html
  md5sum: 239375e107fd4c7af57663f023863fcb

  ESX 2.5.3
  http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html
  md5sum: f90fcab28362edbf2311f3ca90cc7739

  ESX 2.1.3
  http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html
  md5sum: 7d7d0e40f4dccd5ca64b9c13a856da8f

  ESX 2.0.2
  http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html
  md5sum: 925e70f28d17714c53fdbd24de64329f


5. References:

ESX 2.5.4 Patch URL:
http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html

ESX 2.5.3 Patch URL:
http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html

ESX 2.1.3 Patch URL:
http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html

ESX 2.0.2 Patch URL:
http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html

ESX 3.0.0 Patch URL:
http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
Knowledge base URL:http://kb.vmware.com/kb/3069097

ESX 3.0.1 Patch URL:
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
Knowledge base URL:http://kb.vmware.com/kb/9986131

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3589
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4980

6. Contact:

http://www.vmware.com/security

VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html

E-mail:  security@xxxxxxxxxx
PGP key: http://kb.vmware.com/kb/1055

Copyright 2007 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFpDHJ6KjQhy2pPmkRCKBoAKCBxPzEUC9XijRAbtqZJ7l4YV4gUgCgmkW/
qYhKM5SDILPj7ixrsz2dm40=
=TjWR
-----END PGP SIGNATURE-----