-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2011-0009 Synopsis: VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues Issue date: 2011-06-02 Updated on: 2011-06-02 (initial release of advisory) CVE numbers: CVE-2009-4536 CVE-2010-1188 CVE-2009-3080 CVE-2010-2240 CVE-2011-2146 CVE-2011-1787 CVE-2011-2145 CVE-2011-2217 - ------------------------------------------------------------------------ 1. Summary VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues. 2. Relevant releases VMware Workstation 7.1.3 and earlier. VMware Player 3.1.3 and earlier. VMware Fusion 3.1.2 and earlier. ESXi 4.1 without patch ESXi410-201104402-BG. ESXi 4.0 without patch ESXi400-201104402-BG. ESXi 3.5 without patches ESXe350-201105401-I-SG and ESXe350-201105402-T-SG. ESX 4.1 without patch ESX410-201104401-SG ESX 4.0 without patch ESX400-201104401-SG ESX 3.5 without patches ESX350-201105401-SG, ESX350-201105404-SG and ESX350-201105406-SG. 3. Problem Description a. VMware vmkernel third party e1000 Driver Packet Filter Bypass There is an issue in the e1000 Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ========= ======== ======= ================= vCenter any Windows not affected hosted* any any not affected ESXi 4.1 ESXi patch pending ESXi 4.0 ESXi patch pending ESXi 3.5 ESXi ESXe350-201105401-I-SG ESX 4.1 ESX patch pending ESX 4.0 ESX patch pending ESX 3.5 ESX ESX350-201105404-SG ESX 3.0.3 ESX patch pending * hosted products are VMware Workstation, Player, ACE, Fusion. b. ESX third party update for Service Console kernel This update for the console OS kernel package resolves four security issues. 1) IPv4 Remote Denial of Service An remote attacker can achieve a denial of service via an issue in the kernel IPv4 code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1188 to this issue. 2) SCSI Driver Denial of Service / Possible Privilege Escalation A local attacker can achieve a denial of service and possibly a privilege escalation via a vulnerability in the Linux SCSI drivers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3080 to this issue. 3) Kernel Memory Management Arbitrary Code Execution A context-dependent attacker can execute arbitrary code via a vulnerability in a kernel memory handling function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2240 to this issue. 4) e1000 Driver Packet Filter Bypass There is an issue in the Service Console e1000 Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ========= ======== ======= ================= vCenter any Windows not affected hosted* any any not affected ESXi any ESXi not affected ESX 4.1 ESX not applicable ESX 4.0 ESX not applicable ESX 3.5 ESX ESX350-201105401-SG ESX 3.0.3 ESX patch pending * hosted products are VMware Workstation, Player, ACE, Fusion. c. Multiple vulnerabilities in mount.vmhgfs This patch provides a fix for the following three security issues in the VMware Host Guest File System (HGFS). None of these issues affect Windows based Guest Operating Systems. 1) Mount.vmhgfs Information Disclosure Information disclosure via a vulnerability that allows an attacker with access to the Guest to determine if a path exists in the Host filesystem and whether it is a file or directory regardless of permissions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2146 to this issue. 2) Mount.vmhgfs Race Condition Privilege escalation via a race condition that allows an attacker with access to the guest to mount on arbitrary directories in the Guest filesystem and achieve privilege escalation if they can control the contents of the mounted directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1787 to this issue. 3) Mount.vmhgfs Privilege Escalation Privilege escalation via a procedural error that allows an attacker with access to the guest operating system to gain write access to an arbitrary file in the Guest filesystem. This issue only affects Solaris and FreeBSD Guest Operating Systems. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2145 to this issue. VMware would like to thank Dan Rosenberg for reporting these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ========= ======== ======= ================= vCenter any Windows not affected Workstation 7.1.x Linux 7.1.4 or later* Workstation 7.1.x Windows 7.1.4 or later* Player 3.1.x Linux 3.1.4 or later* Player 3.1.x Windows 3.1.4 or later* AMS any any not affected Fusion 3.1.x OSX Fusion 3.1.3 or later* ESXi 4.1 ESXi ESXi410-201104402-BG* ESXi 4.0 ESXi ESXi400-201104402-BG* ESXi 3.5 ESXi ESXe350-201105402-T-SG* ESX 4.1 ESX ESX410-201104401-SG* ESX 4.0 ESX ESX400-201104401-SG* ESX 3.5 ESX ESX350-201105406-SG* ESX 3.0.3 ESX not affected *After the update is applied VMware Guest Tools must be updated in any pre-existing non-Windows guest operating systems. d. VI Client ActiveX vulnerabilities VI Client COM objects can be instantiated in Internet Explorer which may cause memory corruption. An attacker who succeeded in making the VI Client user visit a malicious Web site could execute code on the user's system within the security context of that user. VMware would like to thank Elazar Broad and iDefense for reporting this issue to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2011-2217 to this issue. Affected versions. The vSphere Client which comes with vSphere 4.0 and vSphere 4.1 is not affected. This is any build of vSphere Client Version 4.0.0 and vSphere Client Version 4.1.0. VI Clients bundled with VMware Infrastructure 3 that are not affected are: - VI Client 2.0.2 Build 230598 and higher - VI Client 2.5 Build 204931 and higher The issue can be remediated by replacing an affected VI Client with the VI Client bundled with VirtualCenter 2.5 Update 6 or VirtualCenter 2.5 Update 6a. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware Workstation 7.1.4 ---------------------------- http://downloads.vmware.com/d/info/desktop_downloads/vmware_workstation/7_0 Release notes: http://downloads.vmware.com/support/ws71/doc/releasenotes_ws714.html VMware Workstation for Windows 32-bit and 64-bit with VMware Tools md5sum: b52d064dff3e9fb009e0637d59b79c44 sha1sum: bf4fe9e901b45e59b33852c4612e90fb77223d64 VMware Workstation for Linux 32-bit with VMware Tools md5sum: 5f5f25b1cfd8990e46db07788fe0adab sha1sum: d5b4bfe0d22079988a7777dcc0f87a16b494b5f9 VMware Workstation for Linux 64-bit with VMware Tools md5sum: 68b424f836f63c12b071a791f80b1593 sha1sum: a7d1f461830db022af8f9d872c980fc59a83c5d6 VMware Fusion 3.1.3 --------------------------- http://downloads.vmware.com/d/info/desktop_downloads/vmware_fusion_for_the_mac/3_0 Release notes: http://downloads.vmware.com/support/fusion3/doc/releasenotes_fusion_313.html VMware Fusion for Intel-based Macs md5sum: f35ac5c15354723468257d2a48dc4f76 sha1sum: 3c849a62c45551fddb16eebf298cef7279d622a9 VMware Player 3.1.4 --------------------------- http://downloads.vmware.com/d/info/desktop_downloads/vmware_player/3_0 Release notes: https://www.vmware.com/support/player31/doc/releasenotes_player314.html VMware Player 3.1.4 for 32-bit and 64-bit Windows md5sum: 29dd5fefe40af929dba40185eb6d4804 sha1sum: ac00488dd9e412beea2366c167ceb87ed262054f VMware Player 3.1.4 for 32-bit Linux md5sum: 75a41b63836d19db34f5551846c8b11d sha1sum: 7350051c0fc781604d1d46bc24003434cbcd3b26 VMware Player 3.1.4 for 64-bit Linux md5sum: a7fdadfb2af8d9f76571cd06f2439041 sha1sum: 90031375a9c10d9a0a5e32be154c856693ad7526 VMware ESXi 4.1 --------------------------- ESXi410-201104001 Download link: https://hostupdate.vmware.com/software/VUM/OFFLINE/release-276-20110420-682352/ESXi410-201104001.zip md5sum: 23bd026d6cbca718fe50ed1dd73cfe9d sha1sum: 82fa6da02a1f37430a15a659254426b3d3a62662 http://kb.vmware.com/kb/1035111 ESXi410-201104001 contains ESXi410-201104402-BG. VMware ESX 4.1 ------- ESX410-201104001 Download link: https://hostupdate.vmware.com/software/VUM/OFFLINE/release-275-20110420-062017/ESX410-201104001.zip md5sum: 757c3370ae63c75ef5b2178bd35a4ac3 sha1sum: 95cfdc08e0988b4a0c0c3ea1a1acc1c661979888 http://kb.vmware.com/kb/1035110 Note ESX410-201104001 contains ESX410-201104401-SG. VMware ESXi 4.0 --------------------------- ESXi400-201104001 Download link: https://hostupdate.vmware.com/software/VUM/OFFLINE/release-278-20110424-080274/ESXi400-201104001.zip md5sum: 08216b7ba18988f608326e245ac27e98 sha1sum: 508a04532f0af007ce7c9d7693371470ed8257f0 http://kb.vmware.com/kb/1037261 Note ESXi400-201104001 contains ESXi400-201104402-BG. VMware ESX 4.0 --------------------------- ESX400-201104001 Download link: https://hostupdate.vmware.com/software/VUM/OFFLINE/release-277-20110424-816604/ESX400-201104001.zip md5sum: 1a305fbf6c751403e56ef4e33cabde06 sha1sum: bc7577cb80e69fbe81e3e9272a182deb42987b3d http://kb.vmware.com/kb/1037260 Note ESX400-201104001 contains ESX400-201104401-SG. VMware ESXi 3.5 --------------------------- ESXe350-201105401-O-SG Download link: http://download3.vmware.com/software/vi/ESXe350-201105401-O-SG.zip md5sum: 9bc9296cae1fbecf417f60941590fcb4 sha1sum: d6902377f57e3b05b08c07a810d6b58fa30aa8d5 http://kb.vmware.com/kb/1036403 Note ESXe350-201105401-O-SG contains the following security fixes: ESXe350-201105402-T-SG and ESXe350-201105401-I-SG VMware ESX 3.5 --------------------------- ESX350-201105401-SG Download link: http://download3.vmware.com/software/vi/ESX350-201105401-SG.zip md5sum: 2853ca6e75ef5e856ec582151908ad93 sha1sum: c538971d47af4b813348d87bf2f4fa6acd9292f7 http://kb.vmware.com/kb/1036399 ESX350-201105404-SG Download link: http://download3.vmware.com/software/vi/ESX350-201105404-SG.zip md5sum: 7403d4a06e2bdb9cdfb5590432f51bf8 sha1sum: 1700d6175524680b982ca4430cff77b5f7cb15c4 http://kb.vmware.com/kb/1036402 ESX350-201105406-SG Download link: http://download3.vmware.com/software/vi/ESX350-201105406-SG.zip md5sum: 6c695f7d021f751959aec08fed94df11 sha1sum: 83a862c469e7f3334e2a78f6b81d98c02108b708 http://kb.vmware.com/kb/1036754 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4536 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1188 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3080 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2240 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1787 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2217 - ------------------------------------------------------------------------ 6. Change log 2011-06-02 VMSA-2011-0009 Initial security advisory in conjunction with the release of ESX 3.5 patches on 2011-06-02. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2011 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3oc0wACgkQDEcm8Vbi9kPH3gCfUYnnpB9hqDndLaqfkdf0flCG aJUAn2q8rO+U/EOVUDtRduvovcqklwNS =Rk0f -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/