<<< Date Index >>>     <<< Thread Index >>>

VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
~                   VMware Security Advisory

Advisory ID:       VMSA-2008-0005
Synopsis:          Updated VMware Workstation, VMware Player, VMware
~                   Server, VMware ACE, and VMware Fusion resolve
~                   critical security issues
Issue date:        2008-03-17
Updated on:        2008-03-17 (initial release of advisory)
CVE numbers:       CVE-2008-0923 CVE-2008-0923 CVE-2008-1361
~                   CVE-2008-1362 CVE-2007-5269 CVE-2006-2940
~                   CVE-2006-2937 CVE-2006-4343 CVE-2006-4339
~                   CVE-2007-5618 CVE-2008-1364 CVE-2008-1363
~                   CVE-2008-1340
- -------------------------------------------------------------------

1. Summary:

~   Several critical security vulnerabilities have been addressed
~   in the newest releases of VMware's hosted product line.

2. Relevant releases:

~   VMware Workstation 6.0.2 and earlier
~   VMware Workstation 5.5.4 and earlier
~   VMware Player 2.0.2 and earlier
~   VMware Player 1.0.4 and earlier
~   VMware ACE 2.0.2 and earlier
~   VMware ACE 1.0.2 and earlier
~   VMware Server 1.0.4 and earlier
~   VMware Fusion 1.1 and earlier

3. Problem description:

~ a.  Host to guest shared folder (HGFS) traversal vulnerability

~     On Windows hosts, if you have configured a VMware host to guest
~     shared folder (HGFS), it is possible for a program running in the
~     guest to gain access to the host's file system and create or modify
~     executable files in sensitive locations.

NOTE: VMware Server is not affected because it doesn't use host to
~      guest shared folders.  No versions of ESX Server, including
~      ESX Server 3i, are affected by this vulnerability.  Because
~      ESX Server is based on a bare-metal hypervisor architecture
~      and not a hosted architecture, and it doesn't include any
~      shared folder abilities.  Fusion and Linux based hosted
~      products are unaffected.

~     VMware would like to thank CORE Security Technologies for
~     working with us on this issue.  This addresses advisory
~     CORE-2007-0930.

~     The Common Vulnerabilities and Exposures project (cve.mitre.org)
~     has assigned the name CVE-2008-0923 to this issue.

~     Hosted products
~     ---------------
~     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
~     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
~     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
~     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

~ b.  Insecure named pipes

~     An internal security audit determined that a malicious Windows
~     user could attain and exploit LocalSystem privileges by causing
~     the authd process to connect to a named pipe that is opened and
~     controlled by the malicious user.

~     The same internal security audit determined that a malicious
~     Windows user could exploit an insecurely created named pipe
~     object to escalate privileges or create a denial of service
~     attack.  In this situation, the malicious user could
~     successfully impersonate authd and attain privileges under
~     which Authd is executing.

~     The Common Vulnerabilities and Exposures project (cve.mitre.org)
~     has assigned the names CVE-2008-1361, CVE-2008-1362 to these
~     issues.

~     Windows Hosted products
~     ---------------
~     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
~     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
~     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
~     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
~     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

~ c.  Updated libpng library to version 1.2.22 to address various
~     security vulnerabilities

~     Several flaws were discovered in the way libpng handled various PNG
~     image chunks. An attacker could create a carefully crafted PNG
~     image file in such a way that it could cause an application linked
~     with libpng to crash when the file was manipulated.

~     The Common Vulnerabilities and Exposures project (cve.mitre.org)
~     has assigned the name CVE-2007-5269 to this issue.

~     Hosted products
~     ---------------
~     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
~     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
~     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
~     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
~     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

~     NOTE: Fusion is not affected by this issue.

~ d.  Updated OpenSSL library to address various security vulnerabilities

~     Updated OpenSSL fixes several security flaws were discovered
~     in previous versions of OpenSSL.

~     The Common Vulnerabilities and Exposures project (cve.mitre.org)
~     assigned the following names to these issues: CVE-2006-2940,
~     CVE-2006-2937, CVE-2006-4343, CVE-2006-4339.

~     Hosted products
~     ---------------
~     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
~     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
~     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
~     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
~     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

~     NOTE: Fusion is not affected by this issue.

~ e.  VIX API default setting changed to a more secure default value

~     Workstation 6.0.2 allowed anonymous console access to the guest by
~     means of the VIX API. This release, Workstation 6.0.3, disables
~     this feature. This means that the Eclipse Integrated Virtual
~     Debugger and the Visual Studio Integrated Virtual Debugger will now
~     prompt for user account credentials to access a guest.

~     Hosted products
~     ---------------
~     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
~     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)

~ f.  Windows 2000 based hosted products privilege escalation
~     vulnerability

~     This release addresses a potential privilege escalation on
~     Windows 2000 hosted products.  Certain services may be improperly
~     registered and present a security vulnerability to Windows 2000
~     machines.

~     VMware would like to thank Ray Hicken for reporting this issue and
~     David Maciejak for originally pointing out these types of
~     vulnerabilities.

~     The Common Vulnerabilities and Exposures project (cve.mitre.org)
~     assigned the name CVE-2007-5618 to this issue.

~     Windows versions of Hosted products
~     ---------------
~     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
~     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
~     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
~     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
~     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

~     NOTE: Fusion and Linux based products are not affected by this
~           issue.

~ g.  DHCP denial of service vulnerability

~     A potential denial of service issue affects DHCP service running
~     on the host.

~     VMware would like to thank Martin O'Neal for reporting this issue.

~     The Common Vulnerabilities and Exposures project (cve.mitre.org)
~     assigned the name CVE-2008-1364 to this issue.

~     Hosted products
~     ---------------
~     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
~     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
~     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)
~     VMware Fusion      1.1 upgrade to version 1.1.1 (Build# 72241)

~     NOTE: This issue doesn't affect the latest versions of VMware
~           Workstation 6, VMware Player 2, and ACE 2 products.

~ h.  Local Privilege Escalation on Windows based platforms by
~     Hijacking VMware VMX configuration file

~     VMware uses a configuration file named "config.ini" which
~     is located in the application data directory of all users.
~     By manipulating this file, a user could gain elevated
~     privileges by hijacking the VMware VMX process.

~     VMware would like to thank Sun Bing for reporting the issue.

~     The Common Vulnerabilities and Exposures project (cve.mitre.org)
~     assigned the name CVE-2008-1363 to this issue.

~     Windows based Hosted products
~     ---------------
~     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
~     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
~     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
~     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
~     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

~ i.  Virtual Machine Communication Interface (VMCI) memory corruption
~     resulting in denial of service

~     VMCI was introduced in VMware Workstation 6.0, VMware Player 2.0,
~     and VMware ACE 2.0.  It is an experimental, optional feature and
~     it may be possible to crash the host system by making specially
~     crafted calls to the VMCI interface.  This may result in denial
~     of service via memory exhaustion and memory corruption.

~     VMware would like to thank Andrew Honig of the Department of
~     Defense for reporting this issue.

~     The Common Vulnerabilities and Exposures project (cve.mitre.org)
~     assigned the name CVE-2008-1340 to this issue.

~     Hosted products
~     ---------------
~     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
~     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)

4. Solution:

Please review the Patch notes for your product and version and verify
the md5sum of your downloaded file.

~  VMware Workstation 6.0.3
~  ------------------------
~  http://www.vmware.com/download/ws/
~  Release notes:
~  http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
~  Windows binary
~  md5sum:  323f054957066fae07735160b73b91e5
~  RPM Installation file for 32-bit Linux
~  md5sum:  c44183ad11082f05593359efd220944e
~  tar Installation file for 32-bit Linux
~  md5sum:  57601f238106cb12c1dea303ad1b4820
~  RPM Installation file for 64-bit Linux
~  md5sum:  e9ba644be4e39556724fa2901c5e94e9
~  tar Installation file for 64-bit Linux
~  md5sum:  d8d423a76f99a94f598077d41685e9a9

~  VMware Workstation 5.5.5
~  ------------------------
~  http://www.vmware.com/download/ws/ws5.html
~  Release notes:
~  http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html
~  Windows binary
~  md5sum:  9c2dd94db5eed93d7f64e8d6ba8d8bd3
~  Compressed Tar archive for 32-bit Linux
~  md5sum:  77401c0842a151f0b2db0b4fcb0d16eb
~  Linux RPM version for 32-bit Linux
~  md5sum:  c222b6db934deb9c1bb79b16b25a3202

~  VMware Server 1.0.5
~  -------------------
~  http://www.vmware.com/download/server/
~  Release notes:
~  http://www.vmware.com/support/server/doc/releasenotes_server.html
~  VMware Server for Windows 32-bit and 64-bit
~  md5sum:  3c4a57310c55e17bf8e4a1059d5b36cc
~  VMware Server Windows client package
~  md5sum:  cb3dd2439203dc510f4d95f06ba59d21
~  VMware Server for Linux
~  md5sum:  161dcbe5af9bbd9834a86bf7c599903e
~  VMware Server for Linux rpm
~  md5sum:  fc3b81ed18b53eda943a992971e9f84a
~  Management Interface
~  md5sum:  dd10d25895d9994bd27ca896152f48ef
~  VMware Server Linux client package
~  md5sum:  aae18f1f7b8811b5499e3a358754d4f8

~  VMware ACE 2.0.3 and 1.0.5
~  --------------------------
~  http://www.vmware.com/download/ace/
~  Windows Release notes:
~  http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html

~  VMware Fusion 1.1.1
~  -------------------
~  http://www.vmware.com/download/fusion/
~  Release notes:
~  http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html
~  md5sum:  38e116ec26b30e7a6ac47c249ef650d0

~  VMware Player 2.0.3 and 1.0.6
~  ----------------------
~  http://www.vmware.com/download/player/
~  Release notes Player 1.x:
~  http://www.vmware.com/support/player/doc/releasenotes_player.html
~  Release notes Player 2.0
~  http://www.vmware.com/support/player2/doc/releasenotes_player2.html
~  2.0.3 Windows binary
~  md5sum:  0c5009d3b569687ae139e13d24c868d3
~  VMware Player 2.0.3 for Linux (.rpm)
~  md5sum:  53502b2112a863356dcd13dd0d8dd8f2
~  VMware Player 2.0.3 for Linux (.tar)
~  md5sum:  2305fcff49bef6e4ad83742412eac978
~  VMware Player 2.0.3 - 64-bit (.rpm)
~  md5sum:  cf945b571c4d96146ede010286fdfca5
~  VMware Player 2.0.3 - 64-bit (.tar)
~  md5sum:  f99c5b293eb87c5f918ad24111565b9f
~  1.0.6 Windows binary
~  md5sum:  895081406c4de5361a1700ec0473e49c
~  Player 1.0.6 for Linux (.rpm)
~  md5sum:  8adb23799dd2014be0b6d77243c76942
~  Player 1.0.6 for Linux (.tar)
~  md5sum:  c358f8e1387fb60863077d6f8a9f7b3f

5. References:

~   CVE numbers
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0923
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1361
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1362
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5618
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1364
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1363
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1340

- -------------------------------------------------------------------
6. Contact:

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

~  * security-announce@xxxxxxxxxxxxxxxx
~  * bugtraq@xxxxxxxxxxxxxxxxx
~  * full-disclosure@xxxxxxxxxxxxxxxxx

E-mail:  security@xxxxxxxxxx

Security web site
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFH3yTxS2KysvBH1xkRCHq8AJ0QOMocv/gSz/hgdojA39PGVO6pUACePCRv
Cv8MnL2bYPyDfYQ3f4IUL+w=
=tFXS
-----END PGP SIGNATURE-----