-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2012-0009 Synopsis: VMware Workstation, Player, ESXi and ESX patches address critical security issues Issue date: 2012-05-03 Updated on: 2012-05-03 (initial advisory) CVE numbers: CVE-2012-1516, CVE-2012-1517, CVE-2012-2448, CVE-2012-2449, CVE-2012-2450 ----------------------------------------------------------------------- 1. Summary VMware Workstation, Player, ESXi and ESX patches address critical security issues 2. Relevant releases Workstation 8.0.2 Player 4.0.2 Fusion 4.1.2 ESXi 5.0 without patch ESXi500-201205401-SG ESXi 4.1 without patches ESXi410-201205401-SG, ESXi410-201110201-SG, ESXi410-201201401-SG ESXi 4.0 without patches ESXi400-201105201-UG, ESXi400-201205401-SG ESXi 3.5 without patch ESXe350-201205401-I-SG ESX 4.1 without patches ESX410-201205401-SG, ESX410-201110201-SG, ESX410-201201401-SG ESX 4.0 without patches ESX400-201105201-UG, ESX400-201205401-SG ESX 3.5 without patch ESX350-201205401-SG 3. Problem Description a. VMware host memory overwrite vulnerability (data pointers) Due to a flaw in the handler function for RPC commands, it is possible to manipulate data pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Configure virtual machines to use less than 4 GB of memory. Virtual machines that have less than 4GB of memory are not affected. Mitigation - Do not allow untrusted users access to your virtual machines. Root or Administrator level permissions are not required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1516 to this issue. VMware would like to thank Derek Soeder of Ridgeway Internet Security, L.L.C. for reporting this issue to us. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected Workstation 8.x any not affected Player 4.x any not affected Fusion 4.x Mac OS/X not affected ESXi 5.0 ESXi not affected ESXi 4.1 ESXi ESXi410-201110201-SG ESXi 4.0 ESXi ESXi400-201105201-UG ESXi 3.5 ESXi ESXe350-201205401-I-SG ESX 4.1 ESX ESX410-201110201-SG ESX 4.0 ESX ESX400-201105201-UG ESX 3.5 ESX ESX350-201205401-SG b. VMware host memory overwrite vulnerability (function pointers) Due to a flaw in the handler function for RPC commands, it is possible to manipulate function pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - None identified Mitigation - Do not allow untrusted users access to your virtual machines. Root or Administrator level permissions are not required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1517 to this issue. VMware would like to thank Derek Soeder of Ridgeway Internet Security, L.L.C. for reporting this issue to us. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected Workstation 8.x any not affected Player 4.x any not affected Fusion 4.x Mac OS/X not affected ESXi 5.0 ESXi not affected ESXi 4.1 ESXi ESXi410-201201401-SG ESXi 4.0 ESXi not affected ESXi 3.5 ESXi not affected ESX 4.1 ESX ESX410-201201401-SG ESX 4.0 ESX not affected ESX 3.5 ESX not affected c. ESX NFS traffic parsing vulnerability Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic. Workaround - None identified Mitigation - Connect only to trusted NFS servers - Segregate the NFS network - Harden your NFS server The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2448 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected Workstation 8.x any not affected Player 4.x any not affected Fusion 4.x Mac OS/X not affected ESXi 5.0 ESXi ESXi500-201205401-SG ESXi 4.1 ESXi ESXi410-201205401-SG ESXi 4.0 ESXi ESXi400-201205401-SG ESXi 3.5 ESXi ESXe350-201205401-I-SG ESX 4.1 ESX ESX410-201205401-SG ESX 4.0 ESX ESX400-201205401-SG ESX 3.5 ESX ESX350-201205401-SG d. VMware floppy device out-of-bounds memory write Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Remove the virtual floppy drive from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Mitigation - Do not allow untrusted root users in your virtual machines. Root or Administrator level permissions are required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2449 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected Workstation 8.x any 8.0.3 or later Player 4.x any 4.0.3 or later Fusion 4.x Mac OS/X patch pending ** ESXi 5.0 ESXi ESXi500-201205401-SG ESXi 4.1 ESXi ESXi410-201205401-SG ESXi 4.0 ESXi ESXi400-201205401-SG ESXi 3.5 ESXi ESXe350-201205401-I-SG ESX 4.1 ESX ESX410-201205401-SG ESX 4.0 ESX ESX400-201205401-SG ESX 3.5 ESX ESX350-201205401-SG ** A workaround for the issue is listed above. e. VMware SCSI device unchecked memory write Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Remove the virtual SCSI controller from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Mitigation - Do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2450 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected Workstation 8.x any 8.0.3 or later Player 4.x any 4.0.3 or later Fusion 4.x Mac OS/X 4.1.2 or later ESXi 5.0 ESXi ESXi500-201205401-SG ESXi 4.1 ESXi ESXi410-201205401-SG ESXi 4.0 ESXi ESXi400-201205401-SG ESXi 3.5 ESXi ESXe350-201205401-I-SG ESX 4.1 ESX ESX410-201205401-SG ESX 4.0 ESX ESX400-201205401-SG ESX 3.5 ESX ESX350-201205401-SG 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Workstation 8.0.3 ----------------- http://www.vmware.com/go/downloadworkstation Release notes: https://www.vmware.com/support/ws80/doc/releasenotes_workstation_803.html VMware Workstation for Windows 32-bit and 64-bit with VMware Tools md5sum: c8cabe876ab629f27e47cea02f0d4def sha1sum: 815c2b2b9b0e5fd089ed19da15a272671eb405bd VMware Workstation for Linux 32-bit with VMware Tools md5sum: 968c0785ddb96058e808117730d7c3ad sha1sum: 08ac903c012ef887bf45b3f9f83a4d3200fe25d1 VMware Workstation for Linux 64-bit with VMware Tools md5sum: aa9ce2d953f21f9d902de00ffd2fcb5c sha1sum: b8d189b6717d49abc49401fc4ad50b187ff2e813 Player 4.0.3 ------------ http://www.vmware.com/go/downloadplayer Release notes: https://www.vmware.com/support/player40/doc/releasenotes_player403.html VMware Player for Windows 32-bit and 64-bit md5sum: f2259a257a5099cdce5e1ce76512f599 sha1sum: 96badcaac81e1dfeaaac49d1a5bb6b1e13956266 VMware Player for Linux 32-bit md5sum: 4012e897a77a1c69dd18fbcdde6cf269 sha1sum: 1c00cde50dc6c651393c85db6449010cf552c3eb VMware Player for Linux 64-bit md5sum: 857edd0695b3b31713f9ea1b0a65f2b6 sha1sum: 83c4365f4b43713e8cee13998c394331990a0fd3 ESXi and ESX ------------ http://downloads.vmware.com/go/selfsupport-download Note: In case multiple patches are listed below, the most recent patch is listed on top. The most recent patch includes fixes for the issues that are addressed in the older patches. ESXi 5.0 -------- ESXi500-201205001 md5sum: 4a1de58656980271d79a32107cba75cf sha1sum: 5f23b318df3476002877c37f2970093dc2217d75 http://kb.vmware.com/kb/2019857 ESXi500-201205001 contains ESXi500-201205401-SG ESXi 4.1 -------- ESXi410-201205001 md5sum: 5a37d83fc2a96483c94b3087387b3e9c sha1sum: 9999f578163ffc9ada809e985a6e5d42b83e2be6 http://kb.vmware.com/kb/2019860 ESXi410-201205001 contains ESXi410-201205401-SG ESXi410-201201001 md5sum: bdf86f10a973346e26c9c2cd4c424e88 sha1sum: cc0b92869a9aae4f5e0e5b81bee109bcd7da780f http://kb.vmware.com/kb/2009137 ESXi410-201201001 contains ESXi410-201201401-SG update-from-esxi4.1-4.1_update02 md5sum:57e34b500ce543d778f230da1d44e412 sha1sum:52f4378e2f1a29c908493182ccbde91d58b4112f http://kb.vmware.com/kb/2002338 update-from-esxi4.1-4.1_update02 contains ESXi410-201110201-SG ESXi 4.0 -------- ESXi400-201205001 md5sum: 96808908b8ff82460a6cbd9b4c501dd4 sha1sum: df0256c4ff71f4e7af507e956a496390c7a84597 http://kb.vmware.com/kb/2019855 ESXi400-201205001 contains ESXi400-201205401-SG update-from-esxi4.0-4.0_update03 md5sum: 01bb395825b55b21ec5ea9a5e2ec2c4b sha1sum: ca49bbf154278568a71caf1a5288ac9239dfaf7f http://kb.vmware.com/kb/1031736 update-from-esxi4.0-4.0_update03 contains ESXi400-201105201-UG ESXi 3.5 -------- ESXe350-201205401-O-SG md5sum: e2f017e7ef9a1c0ed5e70dbc97ec62d3 sha1sum: 8dab4731acd4e257cc1701aa0a88373727a9e3ae http://kb.vmware.com/kb/2019538 ESXe350-201205401-O-SG contains ESXe350-201205401-I-SG ESX 4.1 ------- ESX410-201205001 md5sum: 0445d053cacee38338b6cc57efae093b sha1sum: 40720a3be86dd3c9e0bed29c95e0f0a4e34e4cce http://kb.vmware.com/kb/2019859 ESX410-201205001 contains ESX410-201205401-SG ESX410-201201001 md5sum: 16df9acd3e74bcabc2494bc23ad0927f sha1sum: 1066ae1436e1a75ba3d541ab65296cfb9ab7a5cc http://kb.vmware.com/kb/2009080 ESX410-201201001 contains ESX410-201201401-SG ESX 4.0 ------- ESX400-201205001 md5sum: ff0451d353916cc5aebdabf15f4941cc sha1sum: 8485bc41f23e214940e2b618958293ef74eb425f http://kb.vmware.com/kb/2019853 ESX400-201205001 contains ESX400-201205401-SG update-from-esx4.0-4.0_update03 md5sum: 329b08d80d56b0965b84251c552970ba sha1sum: 2e7285d0cbfd666ab9d745a76f639eccb55c1b2a http://kb.vmware.com/kb/1031732 update-from-esx4.0-4.0_update03 contains ESX400-201105201-UG ESX 3.5 ------- ESX350-201205401-SG md5sum: e7d519fccf34a9bd9ff73cbef9247e31 sha1sum: b5a1a50bf116fb900768a8882bc77adb93b3a182 http://kb.vmware.com/kb/2019535 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1516 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2450 ----------------------------------------------------------------------- 6. Change log 2012-05-03 VMSA-2012-0009 Initial security advisory in conjunction with the release of Workstation 8.0.3, Player 4.0.3 and patches for ESXi and ESX 3.5, 4.0, 4.1 and 5.0 on 2012-05-03. ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2012 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFPoqeMDEcm8Vbi9kMRArVAAJ4/gq2fVUj0y5hP0Bwt3tNkqpGwGQCfac1V xkgqRXKeGCKRbmMR8blc8zQ= =HLeh -----END PGP SIGNATURE-----