VMSA-2007-0004 Multiple Denial-of-Service issues fixed
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- -------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2007-0004
Synopsis: Multiple Denial-of-Service issues fixed
Issue date: 2007-05-04
Updated on: 2007-05-04
CVE numbers: CVE-2007-1069 CVE-2007-1337 CVE-2007-1877
CVE-2007-1876 CVE-2007-1744
- -------------------------------------------------------------------
1. Summary:
Multiple Denial-of-Service issues fixed.
2. Relevant releases:
VMware Workstation prior to 5.5.4
VMware Player prior to 1.0.4
VMware Server prior to 1.0.3
VMware ACE prior to 1.0.3
3. Problem description:
Problems addressed by these patches:
a. Denial-of-Service on Windows based guest operating systems.
Some VMware products managed memory in a way that failed to
gracefully handle some general protection faults (GPFs) in Windows
guest operating systems.
A malicious user could use this vulnerability to crash Windows
virtual machines. While this vulnerability could allow an
attacker to crash a virtual machine, we do not believe it was
possible to escalate privileges or escape virtual containment.
VMware thanks Rubén Santamarta of Reversemode for identifying and
reporting this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-1069 to this issue.
VMware Workstation 5.5.4 (Build# 44386)
VMware Player 1.0.4 (Build# 44386)
VMware Server 1.0.3 (Build# 44356)
VMware ACE 1.0.3 (Build# 44385)
b. Denial-of-Service using ACPI I/O ports
Virtual machines can be put in various states of suspension, as
specified by the ACPI power management standard. When returning
from a sleep state (S2) to the run state (S0), the virtual machine
process (VMX) collects information about the last recorded running
state for the virtual machine. Under some circumstances, VMX read
state information from an incorrect memory location. This issue
could be used to complete a successful Denial-of-Service attack
where the virtual machine would need to be rebooted.
Thanks to Tavis Ormandy of Google for identifying this issue.
http://taviso.decsystem.org/virtsec.pdf
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-1337 to this issue.
VMware Workstation 5.5.4 (Build# 44386)
VMware Player 1.0.4 (Build# 44386)
VMware Server 1.0.3 (Build# 44356)
VMware ACE 1.0.3 (Build# 44385)
c. Denial-of-Service using malformed configuration data
Some VMware products support storing configuration information in
VMDB files. Under some circumstances, a malicious user could
instruct the virtual machine process (VMX) to store malformed data,
causing an error. This error could enable a successful
Denial-of-Service attack on guest operating systems.
VMware would like to thank Per-Fredrik Pollnow and Mikael Janers
technical security consultants at SunGard iXsecurity.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-1877 to this issue.
VMware Workstation 5.5.4 (Build# 44386)
VMware Player 1.0.4 (Build# 44386)
VMware Server 1.0.3 (Build# 44356)
VMware ACE 1.0.3 (Build# 44385)
d. Debugging local programs could create system instability
In a 64-bit Windows guest on a 64-bit host, debugging local
programs could create system instability. Using a debugger to step
into a syscall instruction may corrupt the virtual machine's
register context. This corruption produces unpredictable results
including corrupted stack pointers, kernel bugchecks, or vmware-vmx
process failures.
Thanks to Ken Johnson for identifying this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-1876 to this issue.
VMware Workstation 5.5.4 (Build# 44386)
VMware Player 1.0.4 (Build# 44386)
VMware Server 1.0.3 (Build# 44356)
VMware ACE 1.0.3 (Build# 44385)
e. Directory traversal vulnerability in shared folders feature
Shared Folders is a feature that enables users of guest operating
systems to access a specified set of folders in the host's file
system. A vulnerability was identified by Greg MacManus of iDefense
Labs that could allow an attacker to write arbitrary content from a
guest system to arbitrary locations on the host system. In order to
exploit this vulnerability, the VMware system must have at least
one folder shared. Although the Shared Folder feature is enabled
by default, no folders are shared by default, which means this
vulnerability is not exploitable by default.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-1744 to this issue.
VMware Workstation 5.5.4 (Build# 44386)
VMware Player 1.0.4 (Build# 44386)
VMware Server 1.0.3 (Build# 44356)
VMware ACE 1.0.3 (Build# 44385)
4. Solution:
Hosted products can be downloaded from the following locations:
VMware Workstation 5.5.4
http://www.vmware.com/download/ws/
VMware Server 1.0.3
http://www.vmware.com/download/server/
VMware Player 1.0.4
http://www.vmware.com/download/player/
VMware ACE 1.0.3
http://www.vmware.com/download/ace/
Note: ACE 2, a major release of ACE, will be available very
shortly. It is targeted for an early May 07 release. A release
candidate build is posted publicly on the VMware beta products
site. In addition to new functionality, ACE 2 addresses all
issues outlined in the posted ACE 1.0.3 release notes. Anyone
considering a patch or upgrade may wish to plan for a move
directly to the ACE 2 GA release.
5. References:
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1877
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1744
6. Contact:
E-mail: security@xxxxxxxxxx
http://www.vmware.com/security
VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html
Copyright 2007 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFGP61f6KjQhy2pPmkRCJ6+AJ0cTbUetmsDYomiekcrFm8ieup9KQCgsaVk
JGz9td+nL/jv+ooODmmaYA4=
=LcQJ
-----END PGP SIGNATURE-----