VMSA-2012-0006.2

VMware ESXi and ESX address several security issues

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
  VMSA-2012-0006.2
VMware Security Advisory Synopsis:
  VMware ESXi and ESX address several security issues
VMware Security Advisory Issue date:
  2012-03-29
VMware Security Advisory Updated on:
  2012-06-13
VMware Security Advisory CVE numbers:
  CVE-2012-1515, CVE-2011-2482, CVE-2011-3191, CVE-2011-4348
CVE-2011-4862
1. Summary


VMware ESXi and ESX address several security issues.

2. Relevant releases


Workstation 7.1.1
Player 3.1.1

ESXi 4.1 without patch ESXi410-201101201-SG
ESXi 4.0 without patch ESXi400-201203401-SG
ESXi 3.5 without patch ESXe350-201203401-I-SG

ESX 4.1 without patch ESX410-201101201-SG
ESX 4.0 without patches ESX400-201203401-SG, ESX400-201203407-SG
ESX 3.5 without patch ESX350-201203401-SG

3. Problem Description

a. VMware ROM Overwrite Privilege Escalation
A flaw in the way port-based I/O is handled allows for modifying Read-Only Memory that belongs to the Virtual DOS Machine. Exploitation of this issue may lead to privilege escalation on Guest Operating Systems that run Windows 2000, Windows XP 32-bit, Windows Server 2003 32-bit or Windows Server 2003 R2 32-bit.
VMware would like to thank Derek Soeder of Ridgeway Internet Security, L.L.C. for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1515 this issues.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Replace with/ Apply Patch
VMware Product vCenter
Product Version any
Running on Windows
Replace with/ Apply Patch not affected
VMware Product Workstation
Product Version 8.x
Running on any
Replace with/ Apply Patch not affected
VMware Product Workstation
Product Version 7.x
Running on any
Replace with/ Apply Patch 7.1.2 or later
VMware Product Player
Product Version 4.x
Running on any
Replace with/ Apply Patch not affected
VMware Product Player
Product Version 3.x
Running on any
Replace with/ Apply Patch 3.1.2 or later
VMware Product Fusion
Product Version 4.x
Running on Mac OS/X
Replace with/ Apply Patch not affected
VMware Product ESXi
Product Version 5.0
Running on ESXi
Replace with/ Apply Patch not affected
VMware Product ESXi
Product Version 4.1
Running on ESXi
Replace with/ Apply Patch ESXi410-201101201-SG
VMware Product ESXi
Product Version 4.0
Running on ESXi
Replace with/ Apply Patch ESXi400-201203401-SG
VMware Product ESXi
Product Version 3.5
Running on ESXi
Replace with/ Apply Patch ESXe350-201203401-I-SG
VMware Product ESX
Product Version 4.1
Running on ESX
Replace with/ Apply Patch ESX410-201101201-SG
VMware Product ESX
Product Version 4.0
Running on ESX
Replace with/ Apply Patch ESX400-201203401-SG
VMware Product ESX
Product Version 3.5
Running on ESX
Replace with/ Apply Patch ESX350-201203401-SG

b. ESX third party update for Service Console kernel
The ESX Service Console Operating System (COS) kernel is updated to kernel-400.2.6.18-238.4.11.591731 to fix multiple security issues in the COS kernel.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-2482, CVE-2011-3191 and CVE-2011-4348 to these issues.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Replace with/ Apply Patch
VMware Product vCenter
Product Version any
Running on Windows
Replace with/ Apply Patch not affected
VMware Product hosted *
Product Version any
Running on any
Replace with/ Apply Patch not affected
VMware Product ESXi
Product Version any
Running on any
Replace with/ Apply Patch not affected
VMware Product ESX
Product Version 4.0
Running on ESX
Replace with/ Apply Patch ESX400-201203401-SG
VMware Product ESX
Product Version 3.5
Running on ESX
Replace with/ Apply Patch not applicable



* hosted products are VMware Workstation, Player, ACE, Fusion.

** One of the three issues, CVE-2011-2482, has already been addressed on ESX 4.1 in an earlier kernel patch. See VMSA-2012-0001 for details.

c. ESX third party update for Service Console krb5 RPM
This patch updates the krb5-libs and krb5-workstation RPMs to version 1.6.1-63.el5_7 to resolve a security issue.

By default, the affected krb5-telnet and ekrb5-telnet services do not run. The krb5 telnet daemon is an xinetd service. You can run the following commands to check if krb5 telnetd is enabled:

  • /sbin/chkconfig --list krb5-telnet
  • /sbin/chkconfig --list ekrb5-telnet

You can run the following commands to disable krb5 telnet daemon:

  • /sbin/chkconfig krb5-telnet off
  • /sbin/chkconfig ekrb5-telnet off

The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the name CVE-2011-4862 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Replace with/ Apply Patch
VMware Product vCenter
Product Version any
Running on Windows
Replace with/ Apply Patch not affected
VMware Product hosted *
Product Version any
Running on any
Replace with/ Apply Patch not affected
VMware Product ESXi
Product Version any
Running on any
Replace with/ Apply Patch not affected
VMware Product ESX
Product Version 4.1
Running on ESX
Replace with/ Apply Patch not applicable
VMware Product ESX
Product Version 4.0
Running on ESX
Replace with/ Apply Patch ESX400-201203407-SG
VMware Product ESX
Product Version 3.5
Running on ESX
Replace with/ Apply Patch not applicable



* hosted products are VMware Workstation, Player, ACE, Fusion.

4. Solution


Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

Workstation 7.1.2
---------------------------
http://www.vmware.com/go/downloadworkstation

Release notes:
https://www.vmware.com/support/ws71/doc/releasenotes_ws712.html

Workstation for Windows 32-bit and 64-bit with VMware Tools
md5sum: 2e9715ec297dc3ca904ad2707d3e2614
sha1sum: 55b2b99f67c3dacd402fb9880999086efd264e7a

Workstation for Windows 32-bit and 64-bit without VMware Tools
md5sum: 066929f59aef46f11f4d9fd6c6b36e4d
sha1sum: def776a28ee1a21b1ad26e836ae868551fff6fc3

Player 3.1.2
---------------------------
http://www.vmware.com/go/downloadplayer

Release notes:
https://www.vmware.com/support/player31/doc/releasenotes_player312.html

VMware Player for Windows 32-bit and 64-bit
md5sum: 3f289cb33af5e425c92d8512fb22a7ba
sha1sum: bf67240c1f410ebeb8dcb4f6d7371334bf9a6b70

VMware Player for Linux 32-bit
md5sum: 11e3e3e8753e1d9abbbb92c4e3c1dfe8
sha1sum: dd1dbcdb1f4654eefc11472b68934dcb69842749

VMware Player for Linux 64-bit
md5sum: 2ab08e0d4050719845a64d334ca15bb1
sha1sum: f024ad84ec831fce8667dfa9601851da5d9fa59c

ESXi 4.1
---------------------------
update-from-esxi4.1-4.1_update01
md5sum: 2f1e009c046b20042fae3b7ca42a840f
sha1sum: 1c9c644012dec657a705ddd3d033cbfb87a1fab1
http://kb.vmware.com/kb/1027919

update-from-esxi4.1-4.1_update01 contains ESXi410-201101201-SG

ESXi 4.0
---------------------------
ESXi400-201203001
md5sum: 8054b2e7c9cd024e492ac5c1fb9c1e72
sha1sum: 6150fee114d70603ccae399f42b905a6b1a7f3e1
http://kb.vmware.com/kb/2011777

ESXi400-201203001 contains ESXi400-201203401-SG

ESXi 3.5
---------------------------
ESXe350-201203401-O-SG
md5sum: 44124458684d6d1b957b4e39cbe97d77
sha1sum: 2255311bc6c27e127e075040eb1f98649b5ce8be
http://kb.vmware.com/kb/2009160 ESXe350-201203401-O-SG contains ESXe350-201203401-I-SG

 
ESX 4.1 --------------------------- update-from-esx4.1-4.1_update01 md5sum: 2d81a87e994aa2b329036f11d90b4c14 sha1sum: c2bfc0cf7ac03d24afd5049ddbd09a865aad1798 http://kb.vmware.com/kb/1027904 

update-from-esx4.1-4.1_update01 contains ESX410-201101201-SG

ESX 4.0
---------------------------
ESX400-201203001
md5sum: 02b7e883e8b438b83bf5e53a1be71ad3
sha1sum: 34734a8edba225a332731205ee2d6575ad9e1c88
http://kb.vmware.com/kb/2011767

ESX400-201203001 contains ESX400-201203401-SG and ESX400-201203407-SG

ESX 3.5
---------------------------
ESX350-201203401-SG
md5sum: 07743c471ce46de825c36c2277ccd500
sha1sum: cb77e6f820e1015311bf2386b240fd84f0ad04dd
http://kb.vmware.com/kb/2009155

5. References


CVE numbers

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4348
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862

6. Change log


2012-03-29 VMSA-2012-0006 Initial security advisory in conjunction with the release of patches for ESX 4.0 on 2012-03-29.

2012-04-26 VMSA-2012-0006.1 Updated security advisory after the release of ESX 4.1 patch on 2012-04-26

2012-06-13 VMSA-2012-0006.2 Updated Relevant Releases, Problem Description, and Solution sections to include information regarding updates for Workstation 7 in conjunction with the release of Workstation 7.1.6 on 2012-06-13.

7. Contact


E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  • security-announce at lists.vmware.com
  • bugtraq at securityfocus.com
  • full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at:
http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html


Copyright 2012 VMware Inc. All rights reserved.

 

Sign up for Security Advisories

Enter your email address: