VMware Security Advisory 2011-0009 - VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues.
ac81003c8521d9038a00fe7829e93d35f6b931448aaab580b07ed143dc3479bb-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2011-0009
Synopsis: VMware hosted product updates, ESX patches and VI
Client update resolve multiple security issues
Issue date: 2011-06-02
Updated on: 2011-06-02 (initial release of advisory)
CVE numbers: CVE-2009-4536 CVE-2010-1188 CVE-2009-3080 CVE-2010-2240
CVE-2011-2146 CVE-2011-1787 CVE-2011-2145 CVE-2011-2217
- ------------------------------------------------------------------------
1. Summary
VMware hosted product updates, ESX patches and VI Client update
resolve multiple security issues.
2. Relevant releases
VMware Workstation 7.1.3 and earlier.
VMware Player 3.1.3 and earlier.
VMware Fusion 3.1.2 and earlier.
ESXi 4.1 without patch ESXi410-201104402-BG.
ESXi 4.0 without patch ESXi400-201104402-BG.
ESXi 3.5 without patches ESXe350-201105401-I-SG and
ESXe350-201105402-T-SG.
ESX 4.1 without patch ESX410-201104401-SG
ESX 4.0 without patch ESX400-201104401-SG
ESX 3.5 without patches ESX350-201105401-SG,
ESX350-201105404-SG and
ESX350-201105406-SG.
3. Problem Description
a. VMware vmkernel third party e1000 Driver Packet Filter Bypass
There is an issue in the e1000 Linux driver for Intel PRO/1000
adapters that allows a remote attacker to bypass packet filters.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-4536 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
========= ======== ======= =================
vCenter any Windows not affected
hosted* any any not affected
ESXi 4.1 ESXi patch pending
ESXi 4.0 ESXi patch pending
ESXi 3.5 ESXi ESXe350-201105401-I-SG
ESX 4.1 ESX patch pending
ESX 4.0 ESX patch pending
ESX 3.5 ESX ESX350-201105404-SG
ESX 3.0.3 ESX patch pending
* hosted products are VMware Workstation, Player, ACE, Fusion.
b. ESX third party update for Service Console kernel
This update for the console OS kernel package resolves four
security issues.
1) IPv4 Remote Denial of Service
An remote attacker can achieve a denial of service via an
issue in the kernel IPv4 code.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2010-1188 to this
issue.
2) SCSI Driver Denial of Service / Possible Privilege Escalation
A local attacker can achieve a denial of service and
possibly a privilege escalation via a vulnerability in the
Linux SCSI drivers.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2009-3080 to this
issue.
3) Kernel Memory Management Arbitrary Code Execution
A context-dependent attacker can execute arbitrary code via
a vulnerability in a kernel memory handling function.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2010-2240 to this
issue.
4) e1000 Driver Packet Filter Bypass
There is an issue in the Service Console e1000 Linux driver
for Intel PRO/1000 adapters that allows a remote attacker to
bypass packet filters.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2009-4536 to this
issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
========= ======== ======= =================
vCenter any Windows not affected
hosted* any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX not applicable
ESX 4.0 ESX not applicable
ESX 3.5 ESX ESX350-201105401-SG
ESX 3.0.3 ESX patch pending
* hosted products are VMware Workstation, Player, ACE, Fusion.
c. Multiple vulnerabilities in mount.vmhgfs
This patch provides a fix for the following three security
issues in the VMware Host Guest File System (HGFS). None of
these issues affect Windows based Guest Operating Systems.
1) Mount.vmhgfs Information Disclosure
Information disclosure via a vulnerability that allows an
attacker with access to the Guest to determine if a path
exists in the Host filesystem and whether it is a file or
directory regardless of permissions.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2011-2146 to this
issue.
2) Mount.vmhgfs Race Condition
Privilege escalation via a race condition that allows an
attacker with access to the guest to mount on arbitrary
directories in the Guest filesystem and achieve privilege
escalation if they can control the contents of the mounted
directory.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2011-1787 to this
issue.
3) Mount.vmhgfs Privilege Escalation
Privilege escalation via a procedural error that allows an
attacker with access to the guest operating system to gain
write access to an arbitrary file in the Guest filesystem.
This issue only affects Solaris and FreeBSD Guest Operating
Systems.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2011-2145 to this
issue.
VMware would like to thank Dan Rosenberg for reporting these
issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
========= ======== ======= =================
vCenter any Windows not affected
Workstation 7.1.x Linux 7.1.4 or later*
Workstation 7.1.x Windows 7.1.4 or later*
Player 3.1.x Linux 3.1.4 or later*
Player 3.1.x Windows 3.1.4 or later*
AMS any any not affected
Fusion 3.1.x OSX Fusion 3.1.3 or later*
ESXi 4.1 ESXi ESXi410-201104402-BG*
ESXi 4.0 ESXi ESXi400-201104402-BG*
ESXi 3.5 ESXi ESXe350-201105402-T-SG*
ESX 4.1 ESX ESX410-201104401-SG*
ESX 4.0 ESX ESX400-201104401-SG*
ESX 3.5 ESX ESX350-201105406-SG*
ESX 3.0.3 ESX not affected
*After the update is applied VMware Guest Tools must be
updated in any pre-existing non-Windows guest operating
systems.
d. VI Client ActiveX vulnerabilities
VI Client COM objects can be instantiated in Internet Explorer
which may cause memory corruption. An attacker who succeeded in
making the VI Client user visit a malicious Web site could
execute code on the user's system within the security context of
that user.
VMware would like to thank Elazar Broad and iDefense for
reporting this issue to us.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2011-2217 to this issue.
Affected versions.
The vSphere Client which comes with vSphere 4.0 and vSphere 4.1
is not affected. This is any build of vSphere Client Version
4.0.0 and vSphere Client Version 4.1.0.
VI Clients bundled with VMware Infrastructure 3 that are not
affected are:
- VI Client 2.0.2 Build 230598 and higher
- VI Client 2.5 Build 204931 and higher
The issue can be remediated by replacing an affected VI Client
with the VI Client bundled with VirtualCenter 2.5 Update 6 or
VirtualCenter 2.5 Update 6a.
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
VMware Workstation 7.1.4
----------------------------
http://downloads.vmware.com/d/info/desktop_downloads/vmware_workstation/7_0
Release notes:
http://downloads.vmware.com/support/ws71/doc/releasenotes_ws714.html
VMware Workstation for Windows 32-bit and 64-bit with VMware Tools
md5sum: b52d064dff3e9fb009e0637d59b79c44
sha1sum: bf4fe9e901b45e59b33852c4612e90fb77223d64
VMware Workstation for Linux 32-bit with VMware Tools
md5sum: 5f5f25b1cfd8990e46db07788fe0adab
sha1sum: d5b4bfe0d22079988a7777dcc0f87a16b494b5f9
VMware Workstation for Linux 64-bit with VMware Tools
md5sum: 68b424f836f63c12b071a791f80b1593
sha1sum: a7d1f461830db022af8f9d872c980fc59a83c5d6
VMware Fusion 3.1.3
---------------------------
http://downloads.vmware.com/d/info/desktop_downloads/vmware_fusion_for_the_mac/3_0
Release notes:
http://downloads.vmware.com/support/fusion3/doc/releasenotes_fusion_313.html
VMware Fusion for Intel-based Macs
md5sum: f35ac5c15354723468257d2a48dc4f76
sha1sum: 3c849a62c45551fddb16eebf298cef7279d622a9
VMware Player 3.1.4
---------------------------
http://downloads.vmware.com/d/info/desktop_downloads/vmware_player/3_0
Release notes:
https://www.vmware.com/support/player31/doc/releasenotes_player314.html
VMware Player 3.1.4 for 32-bit and 64-bit Windows
md5sum: 29dd5fefe40af929dba40185eb6d4804
sha1sum: ac00488dd9e412beea2366c167ceb87ed262054f
VMware Player 3.1.4 for 32-bit Linux
md5sum: 75a41b63836d19db34f5551846c8b11d
sha1sum: 7350051c0fc781604d1d46bc24003434cbcd3b26
VMware Player 3.1.4 for 64-bit Linux
md5sum: a7fdadfb2af8d9f76571cd06f2439041
sha1sum: 90031375a9c10d9a0a5e32be154c856693ad7526
VMware ESXi 4.1
---------------------------
ESXi410-201104001
Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-276-20110420-682352/ESXi410-201104001.zip
md5sum: 23bd026d6cbca718fe50ed1dd73cfe9d
sha1sum: 82fa6da02a1f37430a15a659254426b3d3a62662
http://kb.vmware.com/kb/1035111
ESXi410-201104001 contains ESXi410-201104402-BG.
VMware ESX 4.1
-------
ESX410-201104001
Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-275-20110420-062017/ESX410-201104001.zip
md5sum: 757c3370ae63c75ef5b2178bd35a4ac3
sha1sum: 95cfdc08e0988b4a0c0c3ea1a1acc1c661979888
http://kb.vmware.com/kb/1035110
Note ESX410-201104001 contains ESX410-201104401-SG.
VMware ESXi 4.0
---------------------------
ESXi400-201104001
Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-278-20110424-080274/ESXi400-201104001.zip
md5sum: 08216b7ba18988f608326e245ac27e98
sha1sum: 508a04532f0af007ce7c9d7693371470ed8257f0
http://kb.vmware.com/kb/1037261
Note ESXi400-201104001 contains ESXi400-201104402-BG.
VMware ESX 4.0
---------------------------
ESX400-201104001
Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-277-20110424-816604/ESX400-201104001.zip
md5sum: 1a305fbf6c751403e56ef4e33cabde06
sha1sum: bc7577cb80e69fbe81e3e9272a182deb42987b3d
http://kb.vmware.com/kb/1037260
Note ESX400-201104001 contains ESX400-201104401-SG.
VMware ESXi 3.5
---------------------------
ESXe350-201105401-O-SG
Download link:
http://download3.vmware.com/software/vi/ESXe350-201105401-O-SG.zip
md5sum: 9bc9296cae1fbecf417f60941590fcb4
sha1sum: d6902377f57e3b05b08c07a810d6b58fa30aa8d5
http://kb.vmware.com/kb/1036403
Note ESXe350-201105401-O-SG contains the following security fixes:
ESXe350-201105402-T-SG and ESXe350-201105401-I-SG
VMware ESX 3.5
---------------------------
ESX350-201105401-SG
Download link:
http://download3.vmware.com/software/vi/ESX350-201105401-SG.zip
md5sum: 2853ca6e75ef5e856ec582151908ad93
sha1sum: c538971d47af4b813348d87bf2f4fa6acd9292f7
http://kb.vmware.com/kb/1036399
ESX350-201105404-SG
Download link:
http://download3.vmware.com/software/vi/ESX350-201105404-SG.zip
md5sum: 7403d4a06e2bdb9cdfb5590432f51bf8
sha1sum: 1700d6175524680b982ca4430cff77b5f7cb15c4
http://kb.vmware.com/kb/1036402
ESX350-201105406-SG
Download link:
http://download3.vmware.com/software/vi/ESX350-201105406-SG.zip
md5sum: 6c695f7d021f751959aec08fed94df11
sha1sum: 83a862c469e7f3334e2a78f6b81d98c02108b708
http://kb.vmware.com/kb/1036754
5. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4536
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2240
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2217
- ------------------------------------------------------------------------
6. Change log
2011-06-02 VMSA-2011-0009
Initial security advisory in conjunction with the release of ESX 3.5
patches on 2011-06-02.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2011 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3oc0wACgkQDEcm8Vbi9kPH3gCfUYnnpB9hqDndLaqfkdf0flCG
aJUAn2q8rO+U/EOVUDtRduvovcqklwNS
=Rk0f
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed