<<< Date Index >>>     <<< Thread Index >>>

VMSA-2008-0016 VMware Hosted products, VirtualCenter Update 3 and patches for ESX and ESXi resolve multiple security issues



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2008-0016
Synopsis:          VMware Hosted products, VirtualCenter Update 3 and
patches for ESX and ESXi resolve multiple security issues
Issue date:        2008-10-03
Updated on:        2008-10-03 (initial release of advisory)
CVE numbers:       CVE-2008-4279 CVE-2008-4278 CVE-2008-3103
                   CVE-2008-3104 CVE-2008-3105 CVE-2008-3106
                   CVE-2008-3107 CVE-2008-3108 CVE-2008-3109
                   CVE-2008-3110 CVE-2008-3111 CVE-2008-3112
                   CVE-2008-3113 CVE-2008-3114 CVE-2008-3115
- ------------------------------------------------------------------------

1. Summary

   VMware addresses a in-guest privilege escalation on 64-bit guest
   operating systems in ESX, ESXi, and previously released versions of
   our hosted product line.  Updated VMware VirtualCenter Update 3
   addresses potential information disclosure and updates Java JRE
   packages.

2. Relevant releases

   VirtualCenter 2.5 before Update 3 build 119838

   VMware Workstation 6.0.4 and earlier,
   VMware Workstation 5.5.7 and earlier,
   VMware Player 2.0.4 and earlier,
   VMware Player 1.0.7 and earlier,
   VMware ACE 2.0.4 and earlier,
   VMware ACE 1.0.6 and earlier,
   VMware Server 1.0.6 and earlier,

   VMware ESXi 3.5 without patch ESXe350-200809401-I-SG

   ESX 3.5 without patch ESX350-200809404-SG

   ESX 3.0.3 without patch ESX303-200809401-SG
   ESX 3.0.2 without patch ESX-1006361
   ESX 3.0.1 without patch ESX-1006678

   NOTE: Hosted products VMware Workstation 5.x, VMware Player 1.x,
         and VMware ACE 1.x will reach end of general support
         2008-11-09. Customers should plan to upgrade to the latest
         version of their respective products.

         Extended support (Security and Bug fixes) for ESX 3.0.2 ends
         on 10/29/2008 and Extended support for ESX 3.0.2 Update 1
         ends on 8/8/2009.  Users should plan to upgrade to ESX 3.0.3
         and preferably to the newest release available.

         Extended Support (Security and Bug fixes) for ESX 3.0.1 has
         ended on 2008-07-31.

3. Problem Description

  a.  Privilege escalation on 64-bit guest operating systems

    VMware products emulate hardware functions, like CPU, Memory, and
    IO.

    A flaw in VMware's CPU hardware emulation could allow the
    virtual CPU to jump to an incorrect memory address. Exploitation of
    this issue on the guest operating system does not lead to a
    compromise of the host system but could lead to a privilege
    escalation on guest operating system.  An attacker would need to
    have a user account on the guest operating system.

    Affected
    64-bit Windows and 64-bit FreeBSD guest operating systems and
    possibly other 64-bit operating systems. The issue does not
    affect the 64-bit versions of Linux guest operating systems.

    VMware would like to thank Derek Soeder for discovering
    this issue and working with us on its remediation.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2008-4279 this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Workstation    6.5.x     any      not affected
    Workstation    6.0.x     any      6.0.5 build 109488 or later
    Workstation    5.x       any      5.5.8 build 108000 or later

    Player         2.5.x     any      not affected
    Player         2.0.x     any      2.0.5 build 109488 or later
    Player         1.x       any      1.0.8 build  or later

    ACE            2.5.x     Windows  not affected
    ACE            2.0.x     Windows  not affected
    ACE            1.x       Windows  not affected

    Server         2.x       any      not affected
    Server         1.x       any      1.0.7 build 108231 or later

    Fusion         2.x       Mac OS/X not affected
    Fusion         1.x       Mac OS/X not affected

    ESXi           3.5       ESXi     ESXe350-200809401-I-SG

    ESX            3.5       ESX      ESX350-200809404-SG
    ESX            3.0.3     ESX      ESX303-200809401
    ESX            3.0.2     ESX      ESX-1006361
    ESX            3.0.1     ESX      ESX-1006678
    ESX            2.5.5     ESX      not affected
    ESX            2.5.4     ESX      not affected

    NOTE: The set of guest operating systems which is affected by
          this issue is a subset of 64-bit operating systems
          (see above for details)

 b. Update for VirtualCenter fixes a potential information disclosure

   This release resolves an issue where a user's password could be
   displayed in cleartext. When logging into VirtualCenter Server 2.0
   with Virtual Infrastructure Client 2.5, the user password might be
   displayed if it contains certain special characters. The dialog
   box displaying the password can appear in front or hidden behind
   other windows.

   To remediate this issue the VirtualCenter client installations must
   be updated after updating to VirtualCenter Update 3

   VMware would like to thank Mark Woollatt for reporting this issue
   to VMware.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2008-4278 to this issue.

   The following table lists what action remediates the vulnerability
   (column 4) if a solution is available.

   VMware    Product   Running  Replace with/
   Product   Version   on       Apply Patch
   ========  ========  =======  =======================
   Virtual-  2.5       Windows  Update 3 build 119838
   Center
   Virtual-  2.0.2     Windows  not affected
   Center

   hosted *  any       any      not affected

   ESXi      3.5       ESXi     not affected

   ESX       3.5       ESX      not affected
   ESX       3.0.3     ESX      not affected
   ESX       3.0.2     ESX      not affected
   ESX       3.0.1     ESX      not affected
   ESX       2.5.5     ESX      not affected
   ESX       2.5.4     ESX      not affected

   * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 c. Update for VirtualCenter updates JRE to version 1.5.0_16

   Update for VirtualCenter updates the JRE package to version 1.5.0_16,
   which addresses multiple security issues that existed in the previous
   version of JRE.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2008-3103, CVE-2008-3104, CVE-2008-3105,
   CVE-2008-3106, CVE-2008-3107, CVE-2008-3108, CVE-2008-3109,
   CVE-2008-3110, CVE-2008-3111, CVE-2008-3112, CVE-2008-3113,
   CVE-2008-3114, CVE-2008-3115 to the security issues fixed in
   JRE 1.5.0_16.

   The following table lists what action remediates the vulnerability
   (column 4) if a solution is available.

   VMware    Product   Running  Replace with/
   Product   Version   on       Apply Patch
   ========  ========  =======  =======================
   Virtual-  2.5       Windows  Update 3 build 119838
   Center
   Virtual-  2.0.2     Windows  affected, patch pending
   Center

   hosted *  any       any      not affected

   ESXi      3.5       ESXi     not affected

   ESX       3.5       ESX      affected, patch pending
   ESX       3.0.3     ESX      affected, patch pending
   ESX       3.0.2     ESX      affected, patch pending
   ESX       3.0.1     ESX      affected, patch pending
   ESX       2.5.5     ESX      not affected
   ESX       2.5.4     ESX      not affected

   * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 Notes: These vulnerabilities can be exploited remotely only if the
        attacker has access to the Service Console network.
        Security best practices provided by VMware recommend that the
        Service Console be isolated from the VM network. Please see
        http://www.vmware.com/resources/techresources/726 for more
        information on VMware security best practices.

        The currently installed version of JRE depends on your patch
        deployment history.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum of your downloaded file.

   VirtualCenter
   -------------
   VMware VirtualCenter 2.5 Update 3 build 119838
   http://www.vmware.com/download/download.do?downloadGroup=VC250U3
   DVD iso image
   md5sum: 100161907e702ec745f8449f4958b1c4
   Zip file
   md5sum: 5ccc8e915044c046554e39390c2c142a
   Release Notes
   http://www.vmware.com/support/vi3/doc/vi3_vc25u3_rel_notes.html

   VMware Workstation 6.0.5
   ------------------------
   http://www.vmware.com/download/ws/
   Release notes:
   http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html

   Windows binary
   md5sum: 46b4c54f0493f59f52ac6c2965296859

   RPM Installation file for 32-bit Linux
   md5sum: 49ebfbd05d146ecc43262622ab746f03

   tar Installation file for 32-bit Linux
   md5sum: 14ac93bffeee72528629d4caecc5ef37

   RPM Installation file for 64-bit Linux
   md5sum: 0a856f1a1a31ba3c4b08bcf85d97ccf6

   tar Installation file for 64-bit Linux
   md5sum: 3b459254069d663e9873a661bc97cf6c

   VMware Workstation 5.5.8
   ------------------------
   http://www.vmware.com/download/ws/ws5.html
   Release notes:
   http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html

   Windows binary:
   md5sum: 745c3250e5254eaf6e65fcfc4172070f

   Compressed Tar archive for 32-bit Linux
   md5sum: 65a454749d15d4863401619d7ff5566e

   Linux RPM version for 32-bit Linux
   md5sum: d80adc73b1500bdb0cb24d1b0733bcff


   VMware Player 2.0.5 and 1.0.8
   -----------------------------
   http://www.vmware.com/download/player/
   Release notes Player 1.x:
   http://www.vmware.com/support/player/doc/releasenotes_player.html
   Release notes Player 2.0
   http://www.vmware.com/support/player2/doc/releasenotes_player2.html

   2.0.5 Windows binary
   md5sum: 60265438047259b23ff82fdfe737f969

   VMware Player 2.0.5 for Linux (.rpm)
   md5sum: 3bc81e203e947e6ca5b55b3f33443d34

   VMware Player 2.0.5 for Linux (.tar)
   md5sum: f499603d790edc5aa355e45b9c5eae01

   VMware Player 2.0.5 - 64-bit (.rpm)
   md5sum: 85bc2f11d06c362feeff1a64ee5a6834

   VMware Player 2.0.5 - 64-bit (.tar)
   md5sum: b74460bb961e88817884c7e2c0f30215

   1.0.8 Windows binary
   md5sum: e5f927304925297a7d869f74b7b9b053

   Player 1.0.8 for Linux (.rpm)
   md5sum: a13fdb8d72b661cefd24e7dcf6e2a990

   Player 1.0.8 for Linux (.tar)
   md5sum: 99fbe861253eec5308d8c47938e8ad1e


   VMware ACE 2.0.5
   ----------------
   http://www.vmware.com/download/ace/
   Release notes 2.0:
   http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html

   ACE Manager Server Virtual Appliance
   Virtual Appliance for the ACE Management Server
   md5sum: 41e7349f3b6568dffa23055bb629208d

   ACE for Window 32-bit and 64-bit
   Main installation file for Windows 32-bit and 64-bit host (ACE Option
   Page key required for enabling ACE authoring)
   md5sum: 46b4c54f0493f59f52ac6c2965296859

   ACE Management Server for Windows
   ACE Management Server installation file for Windows
   md5sum: 33a015c4b236329bcb7e12c82271c417

   ACE Management Server for Red Hat Enterprise Linux 4
   ACE Management Server installation file for Red Hat Enterprise Linux 4
   md5sum: dc3bd89fd2285f41ed42f8b28cd5535f

   ACE Management Server for SUSE Enterprise Linux 9
   ACE Management Server installation file for SUSE Enterprise Linux 9
   md5sum: 2add6a4fc97e1400fb2f94274ce0dce0

   VMware ACE 1.0.7
   ----------------
   http://www.vmware.com/download/ace/
   Release notes:
   http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html
   md5sum: 42d806cddb8e9f905722aeac19740f33


   VMware Server 1.0.7
   -------------------
   http://www.vmware.com/download/server/
   Release notes:
   http://www.vmware.com/support/server/doc/releasenotes_server.html

   VMware Server for Windows 32-bit and 64-bit
   md5sum: 2e2ee5ebe08ae48eac5e661cad01acf6

   VMware Server Windows client package
   md5sum: ce7d906a5a8de37cbc20db4332de1adb

   VMware Server for Linux
   md5sum: 04f201122b16222cd58fc81ca814ff8c

   VMware Server for Linux rpm
   md5sum: 6bae706df040c35851823bc087597d8d

   Management Interface
   md5sum: e67489bd2f23bcd4a323d19df4e903e8

   VMware Server Linux client package
   md5sum: 99f1107302111ffd3f766194a33d492b


   ESXi
   ----
   ESXi 3.5 patch ESXe350-200809401-I-SG
   http://download3.vmware.com/software/esx/ESXe350-200809401-O-SG.zip
   md5sum: 0eadf92eaf0d721e63200348a53e0469
   http://kb.vmware.com/kb/1007090

   NOTE: ESXe350-200809401-O-SG contains the following patch bundles:
         ESXe350-200809401-I-SG ESXe350-200808202-T-UG
         ESXe350-200808203-C-UG

   ESX
   ---
   ESX 3.5 patch ESX350-200809404-SG
   http://download3.vmware.com/software/esx/ESX350-200809404-SG.zip
   md5sum: ee7e7f09e3a1e0aa4cc4b042a9a91a22
   http://kb.vmware.com/kb/1007089

   ESX 3.0.3 patch ESX303-200809401
   http://download3.vmware.com/software/vi/ESX303-200809401-SG.zip
   md5sum: e3be0f0f0b8a3ae612d99db2fa79c9e8
   http://kb.vmware.com/kb/1006673

   ESX 3.0.2 patch ESX-1006361
   http://download3.vmware.com/software/vi/ESX-1006361.tgz
   md5sum: f5c997ee045ba190e41f75b65e67c309
   http://kb.vmware.com/kb/1006361

   ESX 3.0.1 patch ESX-1006678
   http://download3.vmware.com/software/vi/ESX-1006678.tgz
   md5sum: 68e43b272569693b1f54fd206b2a89ca
   http://kb.vmware.com/kb/1006678

5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4279
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4278
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3103
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3104
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3105
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3106
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3107
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3108
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3109
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3110
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3111
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3112
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3113
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3114
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3115

- ------------------------------------------------------------------------
6. Change log

2008-10-03  VMSA-2008-0016
Initial security advisory after release of ESX 3.5 and ESXi patches and
VirtualCenter 2.5 Update 3 on 2008-10-03. Relevant patches for ESX 3.0.x
came out on 2008-09-30.  Hosted releases were on 2008-08-28, see
VMSA-2008-0014 for details.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREIAAYFAkjmyjYACgkQS2KysvBH1xkdQQCfWgCAtw7u5nEaScAZheYn4Lea
4hUAnjhb/kF2O/QxnvlAzH22aCUOGRfj
=pwPz
-----END PGP SIGNATURE-----