-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2008-0008 Synopsis: Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion resolve critical security issues Issue date: 2008-05-30 Updated on: 2008-05-30 (initial release of advisory) CVE numbers: CVE-2008-2098 CVE-2008-2099 - ------------------------------------------------------------------- 1. Summary: Several critical security vulnerabilities have been addressed in the newest releases of VMware's hosted product line. 2. Relevant releases: VMware Workstation 6.0.3 and earlier, VMware Player 2.0.3 and earlier, VMware ACE 2.0.3 and earlier, VMware Fusion 1.1.1 and earlier NOTES: Users of VMware hosted products VMware Workstation 5.x, VMware Player 1.x, and VMware ACE 1.x should note that although they are not vulnerable to these issue, they will reach their end of general support on 2008-11-09. Customers should plan to upgrade to the latest version of their respective products. 3. Problem description: a. VMware HGFS File System Heap Overflow The VMware Host Guest File System (HGFS) shared folders feature allows users to transfer data between a guest operating system and the non-virtualized host operating system that contains it. A heap buffer overflow condition is present in VMware HGFS. Exploitation of this flaw might allow an unprivileged guest process to execute code in the context of the vmx process on the host. In order to exploit this vulnerability, the VMware system must have at least one folder shared. Two things must happen for a folder to be shared. 1) Shared folders must be enabled, and 2) a folder must be selected from the host system to be shared. No folders are shared by default in any version of our products, which means this vulnerability is not exploitable by default. Workstation 6.x, Player 2.x, and ACE 2.x have shared folders disabled by default. VMware Server, ESX and ESXi do not provide the shared folders feature. Because there is no back-end for the HGFS protocol on the virtualization host, these products are architecturally immune to this issue. This issue might not be exploitable on host operating systems which have implemented heap protection. VMware would like to thank Andrew Honig of the Department of Defense for reporting this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2098 to this issue. VMware Product Running Replace with/ Product Version on Apply Patch ============ ======== ======= ================= Workstation 6.x Windows 6.0.4 build 93057 Workstation 6.x Linux 6.0.4 build 93057 Workstation 5.x Windows not affected Workstation 5.x Linux not affected Player 2.x Windows 2.0.4 build 93057 Player 2.x Linux 2.0.4 build 93057 Player 1.x Windows not affected Player 1.x Linux not affected ACE 2.x Windows 2.0.2 build 93057 ACE 1.x Windows not affected Server 1.x Windows not affected Server 1.x Linux not affected Fusion 1.x Mac OS/X 1.1.2 build 87978 or later b. Windows based VMCI arbitrary code execution vulnerability VMCI was introduced in VMware Workstation 6.0, VMware Player 2.0, and VMware ACE 2.0. It is an experimental, optional feature that allows virtual machines to communicate with one another. With VMCI enabled a guest may execute arbitrary code in the context of the vmx process on the host. This is a compiler dependent vulnerability and only affects systems running on windows hosts. VMware would like to thank Andrew Honig of the Department of Defense for reporting this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2099 to this issues. VMware Product Running Replace with/ Product Version on Apply patch ============ ======== ======= ================= Workstation 6.x Windows 6.0.4 build 93057 Workstation 6.x Linux not affected Workstation 5.x Windows not affected Workstation 5.x Linux not affected Player 2.x Windows 2.0.4 build 93057 Player 2.x Linux not affected Player 1.x Windows not affected Player 1.x Linux not affected ACE 2.x Windows 2.0.2 build 93057 ACE 1.x Windows not affected Server 1.x Windows not affected Server 1.x Linux not affected Fusion 1.x Mac OS/X not affected 4. Solution: Please review the release notes for your product and version and verify the md5sum of your downloaded file. VMware Workstation 6.0.4 ------------------------ http://www.vmware.com/download/ws/ Release notes: http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html Windows binary md5sum: f50a05831e94c19d98f363c752fca5f9 RPM Installation file for 32-bit Linux md5sum: e7793b14b995d3b505f093c84e849421 tar Installation file for 32-bit Linux md5sum: a0a8e1d8188f4be03357872a57a767ab RPM Installation file for 64-bit Linux md5sum: 960d753038a268b8f101f4b853c0257e tar Installation file for 64-bit Linux md5sum: 4697ec8a9d6c1152d785f3b77db9d539 VMware Player 2.0.4 ------------------- http://www.vmware.com/download/player/ Release notes Player 1.x: http://www.vmware.com/support/player/doc/releasenotes_player.html Release notes Player 2.0 http://www.vmware.com/support/player2/doc/releasenotes_player2.html 2.0.4 Windows binary md5sum: a117664a8bfa7336b846117e5fc048dd VMware Player 2.0.4 for Linux (.rpm) md5sum: de6ab6364a0966b68eadda2003561cd2 VMware Player 2.0.4 for Linux (.tar) md5sum: 9e1c2bfda6b22a3fc195a86aec11903a VMware Player 2.0.4 - 64-bit (.rpm) md5sum: 997e5ceffe72f9ce9146071144dacafa VMware Player 2.0.4 - 64-bit (.tar) md5sum: 18eb4ee49dd7e33ec155ef69d7d259ef VMware ACE ---------- http://www.vmware.com/download/ace/ Release notes 2.0: http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html VMware-workstation-6.0.4-93057.exe md5sum: f50a05831e94c19d98f363c752fca5f9 VMware-ACE-Management-Server-Appliance-2.0.4-93057.zip md5sum: d2ae2246f3d87268cf84c1421d94e86c VMware-ACE-Management-Server-2.0.4-93057.exe md5sum: 41b31b3392d5da2cef77a7bb28654dbf VMware-ACE-Management-Server-2.0.4-93057.i386-rhel4.rpm md5sum: 9920be4c33773df53a1728b41af4b109 VMware-ACE-Management-Server-2.0.4-93057.i386-sles9.rpm md5sum: 4ec4c37203db863e8844460b5e80920b VMware Fusion 1.1.3 -------------- http://www.vmware.com/download/fusion/ Release notes: http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html md5sum: D15A3DFD3E7B11FC37AC684586086D 5. References: CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2099 6. Change log: 2008-05-30 VMSA-2008-0008 Initial release - ------------------------------------------------------------------- 7. Contact: E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce@lists.vmware.com * bugtraq@securityfocus.com * full-disclosure@lists.grok.org.uk E-mail: security@vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2008 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIQFCVS2KysvBH1xkRCAnIAJ0SuIABL0Y0t8Wo2gcBRlhp3w82UACdH8f/ IM84mlV6oiPxg+XGGUVRyeI= =/czP -----END PGP SIGNATURE-----