<<< Date Index >>>     <<< Thread Index >>>

VMSA-2009-0007 VMware Hosted products and ESX and ESXi patches resolve security issues



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2009-0007
Synopsis:          VMware Hosted products and ESX and ESXi patches
                   resolve security issues
Issue date:        2009-05-28
Updated on:        2009-05-28 (initial release of advisory)
CVE numbers:       CVE-2009-1805 CVE-2009-0040 CVE-2008-1382
- ------------------------------------------------------------------------

1. Summary

   VMware Hosted products and ESX and ESXi patches resolve a security
   issue. Update patch 13 for ESX 2.5.5 updates the libpng Service
   Console RPM.

2. Relevant releases

   VMware Workstation 6.5.1 and earlier,
   VMware Player 2.5.1 and earlier,
   VMware ACE 2.5.1 and earlier,
   VMware Server 2.0,
   VMware Server 1.0.8 and earlier,
   VMware Fusion 2.0.1 and earlier.

   VMware ESXi 3.5 without patch ESXe350-200904402-T-BG

   VMware ESX 3.5 without patch ESX350-200904401-BG

   VMware ESX 3.0.3 without patch ESX303-200905401-SG

   VMware ESX 3.0.2 without patch ESX-1008420

   VMware ESX 2.5.5 without update patch 13

   Extended support for ESX 3.0.2 Update 1 ends on 2009-08-08.
   Users should plan to upgrade to ESX 3.0.3 and preferably to
   the newest release available.

   Extended support for ESX 2.5.5 ends on 2010-06-15.  Users should plan
   to upgrade to ESX 3.0.3 and preferably to the newest release
   available.

3. Problem Description

 a. VMware Descheduled Time Accounting driver vulnerability may cause a
    denial of service in Windows based virtual machines.

    The VMware Descheduled Time Accounting Service is an optional,
    experimental service that provides improved guest operating system
    accounting.

    This patch fixes a denial of service vulnerability that could be
    triggered in a virtual machine by an unprivileged, locally
    logged-on user in the virtual machine.

    Virtual machines are affected under the following conditions:

    - The virtual machine is running a Windows operating system.

    - The VMware Descheduled Time Accounting driver is installed
      in the virtual machine. Note that this is an optional (non-
      default) part of the VMware Tools installation.

    - The VMware Descheduled Time Accounting Service is not running
      in the virtual machine

    The VMware Descheduled Time Accounting Service is no longer provided
    in newer versions of VMware Tools, starting with the versions
    released in Fusion 2.0.2 and ESX 4.0.

    However, virtual machines migrated from vulnerable releases will
    still be vulnerable if the three conditions listed above are met,
    until their tools are upgraded.

    Steps needed to remediate this vulnerability:

    Guest systems on VMware Workstation, Player, ACE, Server, Fusion
     - Install the new version of Workstation, Player, ACE, Server,
       Fusion (see below for version information)
     - Upgrade tools in the virtual machine (virtual machine users
       will be prompted to upgrade).

    Guest systems on ESX 3.5, ESXi 3.5, ESX 3.0.2, ESX 3.0.3
     - Install the relevant patches (see below for patch identifiers)
     - Manually upgrade tools in the virtual machine (virtual machine
       users will not be prompted to upgrade).  Note the VI Client will
       not show the VMware tools is out of date in the summary tab.
       Please see http://tinyurl.com/27mpjo page 80 for details.

    Guests systems on ESX 4.0 and ESXi 4.0 that have been migrated from
    ESX 3.5, ESXi 3.5, and ESX 3.0.x
     - Install/upgrade the new tools in the virtual machine (virtual
       machine users will be prompted to upgrade).

    If the Descheduled Time Accounting driver was installed, the tools
    upgrade will result in an updated driver for Workstation, Player,
    ACE, Server, ESX 3.0.2, ESX 3.0.3, ESX 3.5, ESXi 3.5. For Fusion,
    ESX 4.0, and ESXi 4.0 the tools upgrade will result in the removal
    of the driver.

    VMware would like to thank Nikita Tarakanov for reporting this
    issue to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2009-1805 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available. See above for remediation
    details.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Workstation    6.5.x     any      6.5.2 build 156735 or later
    Workstation    6.0.x     any      upgrade to at least 6.5.2

    Player         2.5.x     any      2.5.2 build 156735 or later
    Player         2.0.x     any      upgrade to at least 2.5.2

    ACE            2.5.x     Windows  2.5.2 build 156735 or later
    ACE            2.0.x     Windows  upgrade to at least 2.5.2

    Server         2.x       any      2.0.1 build 156745 or later
    Server         1.x       any      1.0.9 build 156507 or later

    Fusion         2.x       Mac OS/X 2.0.2 build 147997 or later

    ESXi           4.0       ESXi     not affected
    ESXi           3.5       ESXi     ESXe350-200904402-T-BG

    ESX            4.0       ESX      not affected
    ESX            3.5       ESX      ESX350-200904401-BG
    ESX            3.0.3     ESX      ESX303-200905401-SG
    ESX            3.0.2     ESX      ESX-1008420
    ESX            2.5.5     ESX      not affected

 b. Updated libpng package for the ESX 2.5.5 Service Console

    The libpng packages contain a library of functions for creating and
    manipulating PNG (Portable Network Graphics) image format files.

    A flaw was discovered in libpng that could result in libpng trying
    to free() random memory if certain, unlikely error conditions
    occurred. If a carefully-crafted PNG file was loaded by an
    application linked against libpng, it could cause the application
    to crash or, potentially, execute arbitrary code with the
    privileges of the user running the application.

    A flaw was discovered in the way libpng handled PNG images
    containing "unknown" chunks. If an application linked against libpng
    attempted to process a malformed, unknown chunk in a malicious PNG
    image, it could cause the application to crash.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2009-0040 and CVE-2008-1382 to these
    issues.

    The VMware version number of libpng after applying the update is
    libpng-1.0.14-12.i386.rpm.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    hosted *       any       any      not affected

    ESXi           4.0       ESXi     not affected
    ESXi           3.5       ESXi     not affected

    ESX            4.0       ESX      not affected
    ESX            3.5       ESX      not affected
    ESX            3.0.3     ESX      not affected
    ESX            3.0.2     ESX      not affected
    ESX            2.5.5     ESX      Upgrade Patch 13

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum and/or the sha1sum of your downloaded file.

   VMware Workstation 6.5.2
   ------------------------
   http://www.vmware.com/download/ws/
   Release notes:
   http://www.vmware.com/support/ws65/doc/releasenotes_ws652.html

   For Windows

   Workstation for Windows 32-bit and 64-bit
   Windows 32-bit and 64-bit .exe
   md5sum: 8336586b9f9e5180d5279a0b988e82a6
   sha1sum: ccdb6bcb867638e8f4f493bc02c6f70c5ebbb88e

   For Linux

   Workstation for Linux 32-bit
   Linux 32-bit .rpm
   md5sum: 69b039c848f6b2c94948928d8e9057bb
   sha1sum: 37ca77ef550db932cf7b078fcbd6fa0155e3411e

   Workstation for Linux 32-bit
   Linux 32-bit .bundle
   md5sum: 5d4ccf9c23701d09a671f586a9bb4190
   sha1sum: d508111adf479d82049c323b1d0b82200c0ab4dd

   Workstation for Linux 64-bit
   Linux 64-bit .rpm
   md5sum: 19387416e3b597b901dfe84e4a2bcd97
   sha1sum: 0726518abc9a77051d991af570774bae1625ff78

   Workstation for Linux 64-bit
   Linux 64-bit .bundle
   md5sum: 56dfc3adcf96701f440b19a8cf06c3df
   sha1sum: 04aa442a2b9bf2c67d6266a410b20ef146b93bef


   VMware Player 2.5.2
   -------------------
   http://www.vmware.com/download/player/
   Release notes:
   http://www.vmware.com/support/player25/doc/releasenotes_player252.html

   Windows binary

http://download3.vmware.com/software/vmplayer/VMware-player-2.5.2-156735.exe
   md5sum: 01356d729e9b031c8904e9560a02c469

   Player for Linux (.rpm)

http://download3.vmware.com/software/vmplayer/VMware-Player-2.5.2-156735.i386.rpm
   md5sum: aa047047b72de7f4b53d9c2128b53bec

   Player for Linux (.tar)

http://download3.vmware.com/software/vmplayer/VMware-Player-2.5.2-156735.i386.bundle
   md5sum: bd51e8f8ef2417080c6d734f6ea9fb87

   VMware Player 2.5.2 - 64-bit (.rpm)

http://download3.vmware.com/software/vmplayer/VMware-Player-2.5.2-156735.x86_64.rpm
   md5sum: 5b488b97b5091d3980eb74ec0a5c065b

   VMware Player 2.5.2 - 64-bit (.bundle)

http://download3.vmware.com/software/vmplayer/VMware-Player-2.5.2-156735.x86_64.bundle
   md5sum: 25254cd60c4063c2c68a8bf50c2c4869


   VMware ACE 2.5.2
   ----------------
   http://www.vmware.com/download/ace/
   Release notes:
   http://www.vmware.com/support/ace25/doc/releasenotes_ace252.html

   ACE Management Server Virtual Appliance
   AMS Virtual Appliance .zip
   md5sum: 430ff7792d9d490d1678fc22b4c62121
   sha1sum: 98b74e0dba4214b055c95ccea656bfa2731c3fee

   VMware ACE for Windows 32-bit and 64-bit
   Windows 32-bit and 64-bit .exe
   md5sum: 8336586b9f9e5180d5279a0b988e82a6

   ACE Management Server for Windows
   Windows .exe
   md5sum: 44918519a7bac2501b211c9825ed8268
   sha1sum: 97655c824815f7c4e25f6940c708f835ab616da9

   ACE Management Server for SUSE Enterprise Linux 9
   SLES 9 .rpm
   md5sum: 7fcb0409474c7e81accc90f25d80b00e
   sha1sum: 385b254930dd6b8c53e3c805653c1fa1b07a6161

   ACE Management Server for Red Hat Enterprise Linux 4
   RHEL 4 .rpm
   md5sum: 745e3115f8557fa04c2ddaf25320a911
   sha1sum: ef75d572325a32a7582dbb4c352541978d3cebeb


   VMware Server 2.0.1
   -------------------
   http://www.vmware.com/download/server/
   Release notes:
   http://www.vmware.com/support/server2/doc/releasenotes_vmserver201.html

   For Windows

   VMware Server 2
   Version 2.0.1 | 156745 - 03/31/09
   507 MB EXE image VMware Server 2 for Windows Operating Systems. A
   master installer file containing all Windows components of VMware
   Server.
   md5sum: d0eefaa79e42d13a693c4d732a460ba4

   VIX API 1.6 for Windows.
   Version 1.6.2 | 156745 - 03/31/09 37 MB EXE image
   md5sum: ad531ed3c37c0a50fb915981f83ca133

   For Linux

   VMware Server 2 for Linux Operating Systems.
   Version 2.0.1 | 156745 - 03/31/09 465 MB RPM image
   md5sum: eb42331bbd9be30848826b8cab73e0ca

   VMware Server 2 for Linux Operating Systems.
   Version 2.0.1 | 156745 - 03/31/09 466 MB TAR image
   md5sum: be96bc1696f4cef67755bfd2553ce233

   VMware Server 2 for Linux Operating Systems 64-bit version.
   Version 2.0.1 | 156745 - 03/31/09 434 MB RPM image
   md5sum: 697a792c70d50e98a347c06b323bd20b

   The core application needed to run VMware Server 2, 64-bit version.
   Version 2.0.1 | 156745 - 03/31/09 436 MB TAR image
   md5sum: f40498229772910d6a6788b7803f9c38

   VIX API 1.6 for Linux.
   Version 1.6.2 | 156745 - 03/31/09 17 MB TAR image
   md5sum: 2ef6174b90cdd9a2832b57dbe94cfbb1

   64-bit VIX API 1.6 for Linux.
   Version 1.6.2 | 156745 - 03/31/09 21 MB TAR image
   md5sum: 454aeba273f9a89c578223c95b262323


   VMware Server 1.0.9
   -------------------
   http://www.vmware.com/download/server/
   Release notes:
   http://www.vmware.com/support/server/doc/releasenotes_server.html

   VMware Server for Windows 32-bit and 64-bit

http://download3.vmware.com/software/vmserver/VMware-server-installer-1.0.9-156507.exe
   md5sum: 8c650f8a0a0521b69c6aba00d910cfb9

   VMware Server Windows client package

http://download3.vmware.com/software/vmserver/VMware-server-win32-client-1.0.9-156507.zip
   md5sum: c83e673f7422a4f3edaf7d9337cf5d6d

   VMware Server for Linux

http://download3.vmware.com/software/vmserver/VMware-server-1.0.9-156507.tar.gz
   md5sum: ff4b57588514c83b1a828e3b19843ad2

   VMware Server for Linux rpm

http://download3.vmware.com/software/vmserver/VMware-server-1.0.9-156507.i386.rpm
   md5sum: c8fc9e9f948f2807b9f8bfb3ca318f36

   Management Interface

http://download3.vmware.com/software/vmserver/VMware-mui-1.0.9-156507.tar.gz
   md5sum: dbf99faef8bd26e173cf2514d7bea449

   VMware Server Linux client package

http://download3.vmware.com/software/vmserver/VMware-server-linux-client-1.0.9-156507.zip
   md5sum: 7e76a481408454a747bb4d076a6e2524


   VMware Fusion 2.0.4
   -------------------
   http://www.vmware.com/download/fusion/
   VMware Fusion 2.0.4: with McAfee VirusScan Plus 2009
   md5sum:5b63c7ca402588bda6aa590a26d29adf
   sha1sum:e575ada73da996bd00b880ae2d0bfcef2daf9f8e

   VMware Fusion 2.0.4: Download including only VMware
   md5sum:689eaf46746cdc89a595e0ef81b714b3
   sha1sum:46300075feb00df099d5272b984f762416d33791


   ESXi
   ----
   ESXi 3.5 patch ESXe350-200904401-O-SG (ESXe350-200904402-T-BG)
   http://download3.vmware.com/software/vi/ESXe350-200904401-O-SG.zip
   md5sum: 9b11aa16afd676a5190cfd0b68d5a836
   http://kb.vmware.com/kb/1010136

   NOTES: The three ESXi patches for Firmware "I", VMware Tools "T,"
          and the VI Client "C" are contained in a single offline "O"
          download file.

   ESX
   ---
   ESX 3.5 patch ESX350-200904401-BG
   http://download3.vmware.com/software/vi/ESX350-200904401-BG.zip
   md5sum: 01847ced394a0556f99ca4c55b2174bf
   http://kb.vmware.com/kb/1010126

   ESX 3.0.3 patch ESX303-200905401-SG
   http://download3.vmware.com/software/vi/ESX303-200905401-SG.zip
   md5sum: bea33fd046957aa38ce0ed67d6b362ed
   http://kb.vmware.com/kb/1009940

   ESX 3.0.2 patch ESX-1008420
   http://download3.vmware.com/software/vi/ESX-1008420.tgz
   md5sum: 0a63dde5307defd48592d4e8b88f3f48
   http://kb.vmware.com/kb/1008420

   ESX 2.5.5 Upgrade Patch 13
   http://www.vmware.com/support/esx25/doc/esx-255-200905-patch.html
   http://download3.vmware.com/software/esx/esx-2.5.5-161312-upgrade.tar.gz
   md5sum: a477b7819f5a0d4cbd38b98432a48c88
   sha1sum: cceb38898108e48cc5b7e3298a03a369aa783699

5. References
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0040
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1382
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1805


6. Change log

2009-05-28  VMSA-2009-0007
Initial security advisory after release of patches for ESX 2.5.5,
ESX 3.0.2 and ESX 3.0.3. Relevant patches for ESX 3.5 and new versions
of hosted products mentioned above have already been released.
- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2009 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFKH2AAS2KysvBH1xkRAnvdAJ4pvL6zsSEtJW93XPITQ2SNZdiisQCfd51Z
3Fm2uMQVbWD7cgpl2UmscBc=
=/FuM
-----END PGP SIGNATURE-----