-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2008-0018 Synopsis: VMware Hosted products and patches for ESX and ESXi resolve two security issues Issue date: 2008-11-06 Updated on: 2008-11-06 (initial release of advisory) CVE numbers: CVE-2008-4915 CVE-2008-4281 - ------------------------------------------------------------------------ 1. Summary VMware Hosted products and patches for ESX and ESXi resolve multiple security issues. A flaw in the CPU hardware emulation may allow for a privilege escalation on virtual machine guest operating systems. In addition a directory traversal issue is resolved. 2. Relevant releases VMware Workstation 6.0.5 and earlier, VMware Workstation 5.5.8 and earlier, VMware Player 2.0.5 and earlier, VMware Player 1.0.8 and earlier, VMware ACE 2.0.5 and earlier, VMware ACE 1.0.7 and earlier, VMware Server 1.0.7 and earlier. VMware ESXi 3.5 without patch ESXe350-200810401-O-UG VMware ESX 3.5 without patch ESX350-200810201-UG VMware ESX 3.0.3 without patch ESX303-200810501-BG VMware ESX 3.0.2 without patch ESX-1006680 VMware ESX 2.5.5 without upgrade patch 10 or later VMware ESX 2.5.4 without upgrade patch 21 NOTE: Hosted products VMware Workstation 5.x, VMware Player 1.x, and VMware ACE 1.x will reach end of general support 2008-11-09. Customers should plan to upgrade to the latest version of their respective products. Extended support (Security and Bug fixes) for ESX 3.0.2 ended on 2008-10-29 and Extended support for ESX 3.0.2 Update 1 ends on 2009-08-08. Users should plan to upgrade to ESX 3.0.3 and preferably to the newest release available. 3. Problem Description a. A privilege escalation on 32-bit and 64-bit guest operating systems VMware products emulate hardware functions and create the possibility to run guest operating systems. A flaw in the CPU hardware emulation might allow the virtual CPU to incorrectly handle the Trap flag. Exploitation of this flaw might lead to a privilege escalation on guest operating systems. An attacker needs a user account on the guest operating system and have the ability to run applications. VMware would like to thank Derek Soeder for discovering this issue and working with us on its remediation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-4915 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 6.5.x any not affected Workstation 6.0.x any 6.5.0 build 118166 or later Workstation 5.x any 5.5.9 build 126128 or later Player 2.5.x any not affected Player 2.0.x any 2.5.0 build 118166 or later Player 1.x any 1.0.9 build 126128 or later ACE 2.5.x Windows not affected ACE 2.0.x Windows 2.5.0 build 118166 or later ACE 1.x Windows 1.0.8 build 125922 or later Server 2.x any not affected Server 1.x any 1.0.8 build 126538 or later Fusion 2.x Mac OS/X not affected Fusion 1.x Mac OS/X not affected ESXi 3.5 ESXi ESXe350-200810401-O-UG ESX 3.5 ESX ESX350-200810201-UG ESX 3.0.3 ESX ESX303-200810501-BG ESX 3.0.2 ESX ESX-1006680 ESX 2.5.5 ESX ESX 2.5.5 upgrade patch 10 or later ESX 2.5.4 ESX ESX 2.5.4 upgrade patch 21 b. Directory traversal vulnerability VirtualCenter allows administrators to have fine-grained privileges. A directory traversal vulnerability might allow administrators to increase these privileges. In order to leverage this flaw, the administrator would need to have the Datastore.FileManagement privilege. VMware would like to thank Michel Toussaint for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-4281 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi ESXe350-200810401-O-UG ESX 3.5 ESX ESX350-200810201-UG ESX 3.0.3 ESX not affected ESX 3.0.2 ESX not affected ESX 2.5.5 ESX not affected ESX 2.5.4 ESX not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. VMware Workstation 5.5.9 ------------------------ http://www.vmware.com/download/ws/ws5.html Release notes: http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html Windows binary: md5sum: 509c7b323a8ac42c0a92b0a1446bb0f8 Compressed Tar archive for 32-bit Linux md5sum: 9d189e72f8111e44b27f1ee92edf265e Linux RPM version for 32-bit Linux md5sum: 0957c5258d033d0107517df64bfea240 VMware Player 1.0.9 ----------------------------- http://www.vmware.com/download/player/ Release notes Player 1.x: http://www.vmware.com/support/player/doc/releasenotes_player.html Windows binary md5sum: e2c8dd7b27df7d348f14f69de017b93f Player 1.0.9 for Linux (.rpm) md5sum: 471c3881fa60b058b1dac1d3c9c32c85 Player 1.0.9 for Linux (.tar) md5sum: bef507811698e7333f5e8cb672530dbf VMware ACE 1.0.8 ---------------- http://www.vmware.com/download/ace/ Release notes: http://www.vmware.com/support/ace/doc/releasenotes_ace.html Windows binary md5sum: 920a08c2fcdeaedcb3258183817419a0 ACE 1.0.8 for Linux (.rpm) md5sum: 450254b73fa6802713136bf2c04e5b40 ACE 1.0.8 for Linux (.tar) md5sum: 5efdaccf8217b8d7875d3f35cd6159e0 VMware Server 1.0.8 ------------------- http://www.vmware.com/download/server/ Release notes: http://www.vmware.com/support/server/doc/releasenotes_server.html VMware Server for Windows 32-bit and 64-bit md5sum: 4ba41e5fa192f786121a7395ebaa8d7c VMware Server Windows client package md5sum: f25746e275ca00f28d44ad372fc92536 VMware Server for Linux md5sum: a476d3953ab1ff8457735e692fa5edf9 VMware Server for Linux rpm md5sum: af6890506618fa82928fbfba8a5f97e1 Management Interface md5sum: 5982b84a39479cabce63e12ab664d369 VMware Server Linux client package md5sum: 605d7db48f63211cc3f5ddb2b3f915a6 ESXi ---- ESXi 3.5 patch ESXe350-200810401-O-UG http://download3.vmware.com/software/vi/ESXe350-200810401-O-UG.zip md5sum: 9b83c54a005572bebb86652e3efd732a http://kb.vmware.com/kb/1007056 NOTE: The three ESXi patches for Firmware "I", VMware Tools "T," and the VI Client "C" are contained in a single offline "O" download file. ESX --- ESX Server 3.5 update 3 CD image Refresh md5sum: e9bdaad2d37872820a4cad8e8dbde536 http://www.vmware.com/download/download.do?downloadGroup=ESX350U3 ESX Server 3.5 upgrade package from ESX Server 2.x to ESX Server 3.5 Update 3 Refresh md5sum:2da08fed15bd4b1ed5b19433e837591c http://www.vmware.com/download/download.do?downloadGroup=ESX350U3 ESX Server 3.5 upgrade package from ESX Server 3.0.x to ESX Server 3.5 Update 3 Refresh md5sum:d631aa8418d99fce4280fc3905ac4c37 http://www.vmware.com/download/download.do?downloadGroup=ESX350U3 ESX Server 3.5 upgrade package from ESX Server 3.5 to ESX Server 3.5 Update 3 Refresh md5sum:4dea5d943d0c0469c397b6520dfeb0fb http://www.vmware.com/download/download.do?downloadGroup=ESX350U3 ESX 3.5 patch ESX350-200810201-UG (vCPU/directory traversal) http://download3.vmware.com/software/vi/ESX350-200810201-UG.zip md5sum: 6f26f985d9fea520ebdda7c65b60486e http://kb.vmware.com/kb/1007041 ESX 3.0.3 patch ESX303-200810501-BG (vCPU) http://download3.vmware.com/software/vi/ESX303-200810501-BG.zip md5sum: da72f475c5ac038379d712d36307e33d http://kb.vmware.com/kb/1006969 ESX 3.0.2 patch ESX-1006680 (vCPU) http://download3.vmware.com/software/vi/ESX-1006680.tgz md5sum: 8186a2e77bc7c0e4cd5b214d0a5d29c0 http://kb.vmware.com/kb/1006680 VMware ESX 2.5.5 Upgrade Patch 10 http://download3.vmware.com/software/esx/esx-2.5.5-119702-upgrade.tar.gz md5sum: 2ee87cdd70b1ba84751e24c0bd8b4621 http://vmware.com/support/esx25/doc/esx-255-200810-patch.html VMware ESX 2.5.4 Upgrade Patch 21 http://download3.vmware.com/software/esx/esx-2.5.4-119703-upgrade.tar.gz md5sum: d791be525c604c852a03dd7df0eabf35 http://vmware.com/support/esx25/doc/esx-254-200810-patch.html 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4915 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4281 - ------------------------------------------------------------------------ 6. Change log 2008-11-06 VMSA-2008-0018 Initial security advisory after release of VMware Workstation, VMware Player, VMware ACE, VMware Server and ESXi and ESX 3.5 Update 3 on 2008-11-06. - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2008 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFJE9TRS2KysvBH1xkRArqUAJ9lo3j0TD709+27HlDCa7E8igu+AgCfZTTC O60MAdvOuLJHSO8DOJ7SLx8= =BOi5 -----END PGP SIGNATURE-----