VMSA-2010-0005
VMware products address vulnerabilities in WebAccess
------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2010-0005
Synopsis: VMware products address vulnerabilities in WebAccess
Issue date: 2010-03-29
Updated on: 2010-03-29 (initial release of advisory)
CVE numbers: CVE-2009-2277 CVE-2010-1137 CVE-2010-0686
CVE-2010-1193
------------------------------------------------------------------------
1. Summary
VMware products address vulnerabilities in WebAccess.
2. Relevant releases
Virtual Center 2.5 with WebAccess
Virtual Center 2.0.2 with WebAccess
VMware Server 2.0.2 with WebAccess
VMware Server 1.0.10
ESX 3.5 with WebAccess
ESX 3.0.3 with WebAccess
Notes:
Effective May 2010, VMware's patch and update release program during
Extended Support will be continued with the condition that all
subsequent patch and update releases will be based on the latest
baseline release version as of May 2010 (i.e. ESX 3.0.3 Update 1,
ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section
"End of Product Availability FAQs" at
http://www.vmware.com/support/policies/lifecycle/vi/faq.html for
details.
Extended support for ESX 2.5.5 ends on 2010-06-15. Users should plan
to upgrade to at least ESX 3.0.3 Update 1 and preferably to the
newest release available.
Extended support for ESX 3.0.3 ends on 2011-12-10. Users should plan
to upgrade to at least ESX 3.5 Update 5 and preferably to the newest
release available.
3. Problem Description
a. WebAccess Context Data Cross-site Scripting Vulnerability
A cross-site scripting vulnerability in WebAccess allows for
disclosure of sensitive information. The flaw is due to insufficient
verification of certain parameters which may lead to redirection of
a user's requests.
This vulnerability can only be exploited if the attacker tricks the
WebAccess user into clicking a malicious link and the attacker has
control of a server on the same network as the system where
WebAccess is being used.
Workaround
By switching off WebAccess the issue can no longer be exploited.
This can be accomplished on affected versions of Virtual Center and
ESX as follows:
Virtual Center 2.0.2 and Virtual Center 2.5:
Go to the Windows Services overview on the system that runs
Virtual Center.
To stop WebAccess without a reboot:
Change the status of the VMware Infrastructure Web Access
service to stop
To prevent WebAccess from starting after the next reboot:
Change the startup type of the VMware Infrastructure Web
Access service to disabled
ESX 3.0.3 and ESX 3.5:
Open a root shell on ESX.
To stop WebAccess without a reboot:
service vmware-webAccess stop
To prevent WebAccess from starting after the next reboot:
chkconfig vmware-webAccess off
VMware would like to thank David Byrne and Tom Leavey of Trustwave's
SpiderLabs for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-2277 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.0 Windows not affected
VirtualCenter 2.5 Windows Virtual Center 2.5 Update 6
VirtualCenter 2.0.2 Windows not being fixed at this time *
hosted ** any any not affected
ESXi any ESXi not affected
ESX 4.0 ESX not affected
ESX 3.5 ESX ESX350-201003403-SG
ESX 3.0.3 ESX not being fixed at this time *
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 not affected
* Use the workaround of disabling WebAccess to remediate the issue.
** Hosted products are VMware Workstation, Player, ACE, Server, Fusion.
Note: This vulnerability can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
b. WebAccess Virtual Machine Name Cross-site Scripting Vulnerability
A cross-site scripting vulnerability allows for execution of
JavaScript in the Web browser's security context for WebAccess. The
flaw is due to insufficient checking on the names of virtual
machines.
In order to exploit the issue, the attacker must have control over
the naming of a virtual machine and must have the user list this
Virtual Machine in WebAccess.
Workaround
By switching off WebAccess the issue can no longer be exploited. See
section 3.a on how this can be accomplished.
VMware would like to thank Craig Marshall of Ernst and Young
Advanced Security Center for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-1137 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.0 Windows not affected
VirtualCenter 2.5 Windows Virtual Center 2.5 Update 4 *
VirtualCenter 2.0.2 Windows not being fixed at this time **
Workstation any any not affected
Player any any not affected
Server 2.0 any not affected
Server 1.0 any not being fixed at this time ***
ACE any any not affected
Fusion any any not affected
ESXi any ESXi not affected
ESX 4.0 ESX not affected
ESX 3.5 ESX ESX350-200903223-UG *
ESX 3.0.3 ESX not being fixed at this time **
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 not affected
* The issue is remediated in Virtual Center 2.5 Update 4 and later.
The issue is remediated on ESX 3.5 by patch ESX350-200903223-UG and
by later ESX 3.5 WebAccess patches. The latest ESX 3.5 WebAccess
patch is ESX350-201003403-SG.
** Use the workaround of disabling WebAccess to remediate the issue.
*** In VMware Server 1.0 there is no WebAccess. The corresponding
functionality is offered through the VMware Server Console.
Note: This vulnerability can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
c. WebAccess URL Forwarding Vulnerability
The WebAccess component doesn't sufficiently validate user supplied
input and allows for forwarding of an incoming request to another
destination. The destination will not be able to see the true origin
of the request URL but instead will see the address of the machine
that runs WebAccess. An attacker could use the forwarding
vulnerability to direct traffic at servers while disguising the
source location.
The security issue is limited to URL forwarding. This vulnerability
doesn't allow for a so-called cross-site scripting attack and
doesn't allow for stealing of the user cookies.
Workaround
By switching off WebAccess the issue can no longer be exploited. See
section 3.a on how this can be accomplished.
VMware would like to thank John Fitzpatrick of MWR InfoSecurity
for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-0686 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.0 Windows not affected
VirtualCenter 2.5 Windows not being fixed at this time *
VirtualCenter 2.0.2 Windows not being fixed at this time *
Workstation any any not affected
Player any any not affected
Server 2.0 any not being fixed at this time *
Server 1.0 any not affected
ACE any any not affected
Fusion any any not affected
ESXi any ESXi not affected
ESX 4.0 ESX not affected
ESX 3.5 ESX not being fixed at this time *
ESX 3.0.3 ESX not being fixed at this time *
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 not affected
* Use the workaround of disabling WebAccess to remediate the issue.
Notes: This vulnerability can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.
d. WebAccess JSON Cross-site Scripting Vulnerability
A cross-site scripting vulnerability allows for execution of
JavaScript in the Web browser's security context for WebAccess. The
flaw is due to incorrect parsing of JSON error messages.
This vulnerability can only be exploited if the attacker tricks the
WebAccess user into clicking a malicious link.
Workaround
By switching off WebAccess the issue can no longer be exploited. See
section 3.a on how this can be accomplished.
VMware would like to thank Nathan Keltner for reporting this issue
to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-1193 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.0 Windows not affected
VirtualCenter 2.5 Windows not affected
VirtualCenter 2.0.2 Windows not affected
Workstation any any not affected
Player any any not affected
Server 2.0 any not being fixed at this time *
Server 1.0 any not affected
ACE any any not affected
Fusion any any not affected
ESXi any ESXi not affected
ESX 4.0 ESX not affected
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 2.5.5 ESX not affected
vMA 4.0 RHEL5 not affected
* Use the workaround of disabling WebAccess to remediate the issue.
4. Solution
Please review the patch/release notes for your product and version
and verify the sha1sum or md5sum of your downloaded file.
VMware Virtual Center 2.5 Update 6
----------------------------------
Version 2.5 Update 6
Build Number 227637
Release Date 2010/01/29
Type Product Binaries
http://downloads.vmware.com/download/download.do?downloadGroup=VC250U6
VirtualCenter DVD image - English only version
File size: 854 MB
File type: .iso
md5sum: d83b09ac0533a418d5b7f5493dbd3ed3
sha1sum: 1b969b397a937402b5e9463efc767eff7a980ad0
VirtualCenter as a Zip file - English only version
File size: 625 MB
File type: .zip
md5sum: 760f335ebcd363e0e159b20da923621f
sha1sum: e400bc1008d1e4c44d204a8135293b8ae305f14e
VMware vCenter Converter BootCD
VMware Converter Enterprise BootCD for VirtualCenter
File size: 97 MB
File type: .zip
md5sum: e49e0ff0f2563196cc5d4b5c471cd666
VMware vCenter Converter CLI (Linux)
VMware Converter Enterprise CLI for Linux platform
File size: 37 MB
File type: .tar.gz
md5sum: 30d1f5e58a6cad8dacd988908305bc1c
ESX 3.5
-------
ESX350-201003403-SG
http://download3.vmware.com/software/vi/ESX350-201003403-SG.zip
md5sum: cdddef476c06eeb28c10c5dac3730dca
http://kb.vmware.com/kb/1018702
5. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0686
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1193
------------------------------------------------------------------------
6. Change log
2010-03-29 VMSA-2010-0005
Initial security advisory after release of patches for ESX 3.5
on 2010-03-29.
-----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at:
http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2010 VMware Inc. All rights reserved.
