-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2009-0009 Synopsis: ESX Service Console updates for udev, sudo, and curl Issue date: 2009-07-10 Updated on: 2009-07-10 (initial release of advisory) CVE numbers: CVE-2009-1185 CVE-2009-0034 CVE-2009-0037 - ----------------------------------------------------------------------- 1. Summary Update for Service Console packages udev,sudo, and curl 2. Relevant releases VMware ESX 4.0.0 without bulletin ESX400-200906411-SG, ESX400-200906406-SG, ESX400-200906407-SG. 3. Problem Description a. Service Console package udev A vulnerability in the udev program did not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1185 to this issue. Please see http://kb.vmware.com/kb/1011786 for details. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.0 ESX ESX400-200906411-SG ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 3.0.2 ESX not affected ESX 2.5.5 ESX not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion. b. Service Console package sudo Service Console package for sudo has been updated to version sudo-1.6.9p17-3. This fixes the following issue: Sudo versions 1.6.9p17 through 1.6.9p19 do not properly interpret a system group in the sudoers file during authorization decisions for a user who belongs to that group, which might allow local users to leverage an applicable sudoers file and gain root privileges by using a sudo command. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0034 to this issue. Please see http://kb.vmware.com/kb/1011781 for more details The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.0 ESX ESX400-200906411-SG ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 3.0.2 ESX not affected ESX 2.5.5 ESX not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion. c. Service Console package curl Service Console package for curl has been updated to version curl-7.15.5-2.1. This fixes the following issue: The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to trigger arbitrary requests to intranet servers, read or overwrite arbitrary files by using a redirect to a file: URL, or execute arbitrary commands by using a redirect to an scp: URL. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0037 to this issue. Please see http://kb.vmware.com/kb/1011782 for details The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.0 ESX ESX400-200906407-SG ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 3.0.2 ESX not affected ESX 2.5.5 ESX not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. ESX 4.0 ------- ESX400-200906001 http://tinyurl.com/ncfu5s md5sum:cab549922f3429b236633c0e81351cde sha1sum:aff76554ec5ee3c915eb4eac02e62c131163059a Note: ESX400-200906001 contains the following security fixes ESX400-200906411-SG, ESX400-200906406-SG, ESX400-200906405-SG, ESX400-200906407-SG. To install an individual bulletin use esxupdate with the -b option. esxupdate --bundle ESX400-200906001.zip -b ESX400-200906411-SG \ -b ESX400-200906406-SG -b ESX400-200906405-SG -b \ ESX400-200906407-SG update 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0034 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037 - ------------------------------------------------------------------------- 6. Change log 2009-07-10 VMSA-2009-0008 Initial security advisory after release of bulletins for ESX 4.0 on 2009-07-10. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2009 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFKV9esS2KysvBH1xkRAn2bAJ91HvmEkAxVpRxehax8rGzBd+ufcwCeIhk8 zk/ROHHbZJmWN44MlbMIx/8= =fQaI -----END PGP SIGNATURE-----