-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2010-0018 Synopsis: VMware hosted products and ESX patches resolve multiple security issues Issue date: 2010-12-02 Updated on: 2010-12-02 (initial release of advisory) CVE numbers: CVE-2010-4295 CVE-2010-4296 CVE-2010-4297 CVE-2010-4294 - ------------------------------------------------------------------------ 1. Summary VMware hosted products and ESX patches resolve multiple security issues. 2. Relevant releases VMware Workstation 7.1.1 and earlier, VMware Workstation 6.5.4 and earlier, VMware Player 3.1.1 and earlier, VMware Player 2.5.4 and earlier, VMware Fusion 3.1.1 and earlier, ESXi 4.1 without patch ESXi410-201010402-BG or later ESXi 4.0 without patch ESXi400-201009402-BG or later ESXi 3.5 without patch ESXe350-201008402-T-BG or later ESX 4.1 without patch ESX410-201010405-BG ESX 4.0 without patch ESX400-201009401-SG ESX 3.5 without patch ESX350-201008409-BG Note: VMware Server was declared End Of Availability on January 2010, support will be limited to Technical Guidance for the duration of the support term. 3. Problem Description a. VMware Workstation, Player and Fusion vmware-mount race condition The way temporary files are handled by the mounting process could result in a race condition. This issue could allow a local user on the host to elevate their privileges. VMware Workstation and Player running on Microsoft Windows are not affected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4295 to this issue. VMware would like to thank Dan Rosenberg for reporting this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 7.x Linux 7.1.2 Build 301548 or later Workstation 7.x Windows not affected Workstation 6.5.x any not affected Player 3.1.x Linux 3.1.2 Build 301548 or later Player 3.1.x Windows not affected Player 2.5.x any not affected AMS any any not affected Server 2.0.2 Linux affected, no patch planned Server 2.0.2 Windows not affected Fusion 3.1.x Mac OS/X 3.1.2 Build 332101 or later Fusion 2.x Mac OS/X not affected ESXi any ESXi not affected ESX any ESX not affected b. VMware Workstation, Player and Fusion vmware-mount privilege escalation vmware-mount which is a suid binary has a flaw in the way libraries are loaded. This issue could allow local users on the host to execute arbitrary shared object files with root privileges. VMware Workstation and Player running on Microsoft Windows are not affected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4296 to this issue. VMware would like to thank Martin Carpenter for reporting this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 7.x Linux 7.1.2 Build 301548 or later Workstation 7.x Windows not affected Workstation 6.5.x any not affected Player 3.1.x Linux 3.1.2 Build 301548 or later Player 3.1.x Windows not affected Player 2.5.x any not affected AMS any any not affected Server 2.0.2 Linux affected, no patch planned Server 2.0.2 Windows not affected Fusion 3.1.x Mac OS/X 3.1.2 Build 332101 Fusion 2.x Mac OS/X not affected ESXi any ESXi not affected ESX any ESX not affected c. OS Command Injection in VMware Tools update A vulnerability in the input validation of VMware Tools update allows for injection of commands. The issue could allow a user on the host to execute commands on the guest operating system with root privileges. The issue can only be exploited if VMware Tools is not fully up-to-date. Windows-based virtual machines are not affected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4297 to this issue. VMware would like to thank Nahuel Grisolia of Bonsai Information Security, http://www.bonsai-sec.com, for reporting this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 7.x any 7.1.2 Build 301548 or later Workstation 6.5.x any 6.5.5 Build 328052 or later Player 3.1.x any 3.1.2 Build 301548 or later Player 2.5.x any 2.5.5 Build 328052 or later AMS any any not affected Server 2.0.2 any affected, no patch planned Fusion 3.1.x Mac OS/X 3.1.2 Build 332101 Fusion 2.x Mac OS/X 2.0.8 Build 328035 ESXi 4.1 ESXi ESXi410-201010402-BG ESXi 4.0 ESXi ESXi400-201009402-BG ESXi 3.5 ESXi ESXe350-201008402-T-BG ** ESX 4.1 ESX ESX410-201010405-BG ESX 4.0 ESX ESX400-201009401-SG ESX 3.5 ESX ESX350-201008409-BG ** ESX 3.0.3 ESX not affected * hosted products are VMware Workstation, Player, ACE, Fusion. ** Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only: - Install the relevant ESX patch. - Manually upgrade tools in the virtual machine (virtual machine users will not be prompted to upgrade tools). Note the VI Client may not show that the VMware tools is out of date in the summary tab. d. VMware VMnc Codec frame decompression remote code execution The VMware movie decoder contains the VMnc media codec that is required to play back movies recorded with VMware Workstation, VMware Player and VMware ACE, in any compatible media player. The movie decoder is installed as part of VMware Workstation, VMware Player and VMware ACE, or can be downloaded as a stand alone package. A function in the decoder frame decompression routine implicitly trusts a size value. An attacker can utilize this to miscalculate a destination pointer, leading to the corruption of a heap buffer, and could allow for execution of arbitrary code with the privileges of the user running an application utilizing the vulnerable codec. For an attack to be successful the user must be tricked into visiting a malicious web page or opening a malicious video file on a system that has the vulnerable version of the VMnc codec installed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4294 to this issue. VMware would like to thank Aaron Portnoy and Logan Brown of TippingPoint DVLabs for reporting this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Movie Decoder any Windows 7.1.2 Build 301548 or later Movie Decoder any Windows 6.5.5 Build 328052 or later Workstation 7.x Windows 7.1.2 Build 301548 or later Workstation 7.x Linux not affected Workstation 6.5.x Windows 6.5.5 build 328052 or later Workstation 6.5.x Linux not affected Player 3.x Windows 3.1.2 Build 301548 or later Player 3.x Linux not affected Player 2.5.x Windows 2.5.5 build 246459 or later Player 2.5.x Linux not affected AMS any any not affected Server 2.x Window affected, no patch planned Server 2.x Linux not affected Fusion any Mac OS/X not affected ESXi any ESXi not affected ESX any ESX not affected 4. Solution Please review the patch/release notes for your product and version and verify the md5sum and/or the sha1sum of your downloaded file. VMware Workstation Movie Decoder -------------------------------- Workstation 7.1.2 Movie Decoder md5sum: a4d761a21670c735d04abb89e674656e sha1sum: b66673c30f3b8b8fb18035d08a6255f478be875d Workstation 6.5.5 Movie Decoder build 328052 md5sum: 1223bb57d97df39259be2c6c90a65ba6 sha1sum: 3ae7cdeeeebf6a716ec73f934077545945474ff6 VMware Workstation 7.1.3 ------------------------ http://www.vmware.com/download/ws/ Release notes: http://downloads.vmware.com/support/ws71/doc/releasenotes_ws713.html Workstation for Windows 32-bit and 64-bit with VMware Tools md5sum: 7b9dc01bf733047a00711f5800df6107 sha1sum: 5f36117c64455f3dff3b7410a0bfc72e41905181 Workstation for Windows 32-bit and 64-bit without VMware Tools md5sum: d102006f7a3951dd58325f5b4e151abe sha1sum: ccfd70278d3c89b38776d656fa797ca8e9b28d55 Workstation 6.5.5 ----------------- http://www.vmware.com/download/ws/ Release notes: http://downloads.vmware.com/support/ws65/doc/releasenotes_ws655.html Workstation for Windows 32-bit and 64-bit md5sum: 7bff9b621529efb0de808a45e7821274 sha1sum: 41af7a9a78717cb85dd30b4d830e99fd5de49cc1 Workstation for Linux 32-bit (rpm) md5sum: 17c3f1a0e6ccf2b1e224a5d75c845a47 sha1sum: 3027b4e2215fae84fa9311f8cd762fee17e89df0 Workstation for Linux 32-bit (bundle) md5sum: 7c24811fb999204f144d8b9f50e9fcae sha1sum: 18a05e6f4f772b7f0563dbd17596b66d1db8e9fa Workstation for Linux 64-bit (rpm) md5sum: c25c2535d8091c4d46701ed081347901 sha1sum: f4356bc224ea9805dac2d4b677f88a2f4220353e Workstation for Linux 64-bit (bundle) md5sum: 7012bdaf182d256672ff2eb24b00a40f sha1sum: 58ecb2a494d4c7cc663e2028cf76c13d458fecac VMware Player 3.1.3 ------------------- http://www.vmware.com/download/player/ Release notes: http://downloads.vmware.com/support/player31/doc/releasenotes_player313.html VMware Player for Windows 32-bit and 64-bit md5sum: bd66a0ab8ae87d5cfa32b8ff44f99d1f sha1sum: 8ab358efc97a64639cce83766c35d43b0d662132 VMware Player for Linux 32-bit (bundle) md5sum: e5d0bf19a1908262f63a8f88df77f73e sha1sum: 4abb87d37706c47a86337ada1d23d390455e4931 VMware Player for Linux 64-bit (bundle) md5sum: 18e6aae025ee2ef9f10ce6d9271ce472 sha1sum: 6608bce64811be4480e667726aefefdc2b71e4e3 VMware Player 2.5.5 ------------------- VMware Player 2.5.5 for Windows 32-bit and 64-bit md5sum: 780b2c4e2b1610dea3090b1cd81d5ad7 sha1sum: f6c451a11a4fe66e5a465de960de1358e83b8314 VMware Player 2.5.5 for Linux 32-bit (rpm) md5sum: 9e13ee3904bd2377ffb8cfa66460fe92 sha1sum: 2482acad19f6b23cf0c236d1ce87d4805b7b0e6c VMware Player 2.5.5 for Linux 32-bit (bundle) MD5SUM: 46dcfe9343f688d60e249d9e9c3853a4 SHA1SUM: abfdeaf2cac83c630662607e7b95439367376abf VMware Player 2.5.5 for Linux 64-bit (rpm) MD5SUM: 52d6dcdeed9e564c8cfe8c35cec885f0 SHA1SUM: dbaa6dac55f592b9c6b16d7505796a2580836f4b VMware Player 2.5.5 for Linux 64-bit (bundle) md5sum: 6c9a677820010ccd20f829cb5d2c057b sha1sum: ff6eccba3125229e8adbc1cb96764c2f116d89c5 VMware Fusion ------------- VMware Fusion 3.1.2 build 332101 md5sum: a809170c9bd55a102c007c20269c4729 sha1sum: bf56e0f873d8e0d67fd73fba5e597e0931083e03 VMware Fusion Lite 3.1.2 build 332101 md5sum: d7db517cb25320152723f8535c90dd16 sha1sum: 555d9bd03327731270acfc851ba15b28ef3f6720 VMware Fusion 2.0.8 (for Intel-based Macs) md5sum: 9951d3b7985c39c685d59eaa73fe267c sha1sum: 11463924b5a7f82161090416905774da45e1cd3e VMware Fusion Lite 2.0.8 (for Intel-based Macs) md5sum: 0bee2ef0d0e9e543b2468ed9618e32c8 sha1sum: fa56bb7ea3493d07610051f92b9941305a436a2f ESXi 4.1 -------- ESXi410-201010001 Download link: https://hostupdate.vmware.com/software/VUM/OFFLINE/release-251-20101108-239087/ESXi410-201010001.zip md5sum: 05f1049c7a595481cd682e92fe8d3285 sha1sum: f6993c185f7d1cb971a4ae6e017e0246b8c25a76 http://kb.vmware.com/kb/1027753 Note ESXi410-201010001 contains the following security fix: ESXi410-201010402-BG ESXi 4.0 -------- ESXi400-201009001 Download link: https://hostupdate.vmware.com/software/VUM/OFFLINE/release-241-20100919-436526/ESXi400-201009001.zip md5sum: bfc1b78f14d970c556b828492f5920e1 sha1sum: a311a4af41aa1202bb6b156694bbc045c67df91a http://kb.vmware.com/kb/1025322 Note ESXi400-201009001 contains the following security fix: ESXi400-201009402-BG ESXi 3.5 -------- ESXe350-201008401-O-SG http://download3.vmware.com/software/vi/ESXe350-201008401-O-SG.zip md5sum:a2bb0afbc677ba847bedecb44dbdd4b3 http://kb.vmware.com/kb/1026139 Note ESXe350-201008401-O-SG contains the following security fix: ESXe350-201008402-T-BG ESX 4.1 ------- ESX410-201010001 https://hostupdate.vmware.com/software/VUM/OFFLINE/release-252-20101109-182791/ESX410-201010001.zip md5sum: ff4435fd3c74764f064e047c6e5e7809 sha1sum:322981f4dbb9e5913c8f38684369444ff7e265b3 http://kb.vmware.com/kb/1027027 ESX410-201010001 contains the following security fix: ESX410-201010405-BG ESX 4.0 ------- ESX400-201009001 https://hostupdate.vmware.com/software/VUM/OFFLINE/release-240-20100919-359479/ESX400-201009001.zip md5sum: 988c593b7a7abf0be5b72970ac64a369 sha1sum: 26d875955b01c19f4e56703216e135257c08836f http://kb.vmware.com/kb/1025321 ESX400-201009001 contains the following security fix: ESX400-201009401-SG ESX 3.5 ------- ESX350-201008409-BG http://download3.vmware.com/software/vi/ESX350-201008409-BG.zip md5sum: f2c4a4a53695057de25f095029d713fb http://kb.vmware.com/kb/1026133 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4297 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4294 - ------------------------------------------------------------------------ 6. Change log 2010-12-02 VMSA-2010-0018 Initial security advisory after release of Workstation 6.5.5, Player 2.5.5, Fusion 2.0.8 and Fusion 3.1.2 on 2010-12-02, ESX patches and Workstation 7.1.2 and 7.1.3 were released previously. - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2010 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iEYEARECAAYFAkz4lXgACgkQS2KysvBH1xn0qgCeO9eTk2xMbdx3Ssr24lCYzlUC jXoAnjxrD5t4JyuWQftQ9ciZSDpIeZzg =TEE9 -----END PGP SIGNATURE-----