-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2009-0017 Synopsis: VMware vCenter, ESX patch and vCenter Lab Manager releases address cross-site scripting issues Issue date: 2009-12-15 Updated on: 2009-12-15 (initial release of advisory) CVE numbers: CVE-2009-3731 - ----------------------------------------------------------------------- 1. Summary VMware vCenter and ESX update releases address cross-site scripting issues in the Help functionality of WebAccess. A vCenter Lab Manager release addresses the same issues which are present in the online Help functionality of Lab Manager and Stage Manager. 2. Relevant releases ESX 4.0 without patch ESX400-200911223-UG vCenter 4.0 GA VMware Server 2.0.2 VMware Lab Manager 2.x VMware vCenter Lab Manager 3.x VMware vCenter Lab Manager 4.0 VMware vCenter Stage Manager 1.x 3. Problem Description a. WebWorks Help - Cross-site scripting vulnerability WebWorks Help is an output format that allows online Help to be delivered on multiple platforms and browsers, which makes it easy to publish information on the Web or on an enterprise intranet. WebWorks Help is used for creating the online help pages that are available in VMware WebAccess, Lab Manager and Stage Manager. WebWorks Help doesn't sufficiently sanitize incoming requests which may result in cross-site scripting vulnerabilities in applications that are built with WebWorks Help. Exploitation of these vulnerabilities in VMware products requires tricking a user to click on a malicious link or to open a malicious web page while they are logged in into vCenter, ESX or VMware Server using WebAccess, or logged in into Stage Manager or Lab Manager. Successful exploitation can lead to theft of user credentials. These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network. Security best practices provided by VMware recommend that the Service Console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. Client-side protection measures included with current browsers are not always able to prevent these attacks from being executed. VMware would like to thank Daniel Grzelak and Alex Kouzemtchenko of stratsec (www.stratsec.net) for finding and reporting this issue. VMware would also like to thank Ben Allums of WebWorks.com for working on the remediation of this issue with us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3731 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter 4.0 Windows Update 1 VirtualCenter 2.5 Windows not affected VirtualCenter 2.0.2 Windows not affected Workstation any any not affected Player any any not affected Server 2.0.2 any VMware KB 1016594 Server 1.0 any not affected ACE any any not affected Fusion any any not affected ESXi any ESXi not affected ESX 4.0 ESX ESX400-200911223-UG ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 not affected Lab Manager any any Lab Manager 4.0.1 Stage Manager any any Lab Manager 4.0.1 Note: The remediation provided by WebWorks.com is not applicable to VMware products. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. VMware vCenter Server 4 Update 1 -------------------------------- Version 4.0 Update 1 Build Number 208156 Release Date 2009/11/19 Type Product Binaries http://downloads.vmware.com/download/download.do?downloadGroup=VC40U1 VMware vCenter Server 4 and modules File size: 1.8 GB File type: .iso MD5SUM: 057d55b32eb27fe5f3e01bc8d3df3bc5 SHA1SUM: c90134418c2e4d3d6637d8bee44261300ad95ec1 VMware vCenter Server 4 and modules File size: 1.5 GB File type: .zip MD5SUM: f843d9c19795eb3bc5a77f5c545468a8 SHA1SUM: 9a7abd8e70bd983151e2ee40e1b3931525c4480c VMware vSphere Client and Host Update Utility File size: 113.8 MB File type: .exe MD5SUM: 6cc6b2c958e7e9529c284e48dfae22a9 SHA1SUM: f4c19c63a75d93cffc57b170066358160788c959 VMware vCenter Converter BootCD File size: 98.8 MB File type: .zip MD5SUM: 3df94eb0e93de76b0389132ada2a3799 SHA1SUM: 5d7c04e4f9f8ae25adc8de5963fefd8a4c92464c VMware vCenter Converter CLI (Linux) File size: 36.9 MB File type: .tar.gz MD5SUM: 3766097563936ba5e03e87e898f6bd48 SHA1SUM: 36d485bdb5eb279296ce8c8523df04bfb12a2cb4 ESX 4.0 ------- ESX400-200911223-UG (Update 1a) https://hostupdate.vmware.com/software/VUM/OFFLINE/release-166-20091202-254 879/ESX-4.0.0-update01a.zip md5sum: 99c1fcafbf0ca105ce73840d686e9914 sha1sum: aa8a23416271bc28b6b8f6bdbe00045e36314ebb http://kb.vmware.com/kb/1014842 To install an individual bulletin use esxupdate with the -b option. esxupdate --bundle=ESX-4.0.0-update01.zip -b ESX400-200911223-UG VMware Server 2.0.2 ------------------- http://kb.vmware.com/kb/1016594 Stage Manager ------------- http://www.vmware.com/products/sm/faq.html Lab Manager 4.0.1 ----------------- http://downloads.vmware.com/download/download.do?downloadGroup=VLM401 md5sum: b4d8f5637eaea59f028eafe62d0366ab sha1sum: a437726b45dce0a72fb5cbd3996a6d6f84e6c8df http://www.vmware.com/support/labmanager40/doc/releasenotes_labmanager401.h tml 5. References http://www.webworks.com/Security/2009-0001 CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3731 - ------------------------------------------------------------------------ 6. Change log 2009-12-15 VMSA-2009-0017 Initial security advisory after publication of information by third party vendor, WebWorks.com, on 2009-12-15. - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2009 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFLJ9Z2S2KysvBH1xkRAiiOAJ4+TWKnhkLYDiDargvqosRU6RHn1ACeJtXe oEsepbtYQRxE45xLZgJnaAQ= =F9Pg -----END PGP SIGNATURE-----