VMSA-2015-0007.6

VMware vCenter and ESXi updates address critical security issues.

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
  VMSA-2015-0007.6
VMware Security Advisory Synopsis:
  VMware vCenter and ESXi updates address critical security issues.
VMware Security Advisory Issue date:
  2015-10-01
VMware Security Advisory Updated on:
  2016-06-14
VMware Security Advisory CVE numbers:
  CVE-2015-5177 CVE-2015-2342 CVE-2015-1047
1. Summary

VMware vCenter and ESXi updates address critical security issues.

 

NOTE: See section 3.b for a critical update on an incomplete fix for the JMX RMI issue.  

 

2. Relevant Releases

VMware ESXi 5.5 without patch ESXi550-201509101-SG
VMware ESXi 5.1 without patch ESXi510-201510101-SG
VMware ESXi 5.0 without patch ESXi500-201510101-SG

VMware vCenter Server 6.0 prior to version 6.0.0b
VMware vCenter Server 5.5 prior to version 5.5 update 3
VMware vCenter Server 5.1 prior to version 5.1 update u3b
VMware vCenter Server 5.0 prior to version 5.0 update u3e

3. Problem Description

a. VMware ESXi OpenSLP Remote Code Execution

 

VMware ESXi contains a double free flaw in OpenSLP's SLPDProcessMessage() function. Exploitation of this issue may allow an unauthenticated attacker to remotely execute code on the ESXi host.

 

VMware would like to thank Qinghao Tang of QIHU 360 for reporting this issue to us.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-5177 to this issue.

 

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

 

VMware Product =====
Product Version =====
Running on ======
Replace with/ Apply Patch ==================
VMware Product ===== ESXi
Product Version ===== 6.0
Running on ====== ESXi
Replace with/ Apply Patch ================== not affected
VMware Product ===== ESXi
Product Version ===== 5.5
Running on ====== ESXi
Replace with/ Apply Patch ================== ESXi550-201509101-SG *
VMware Product ===== ESXi
Product Version ===== 5.1
Running on ====== ESXi
Replace with/ Apply Patch ================== ESXi510-201510101-SG
VMware Product ===== ESXi
Product Version ===== 5.0
Running on ====== ESXi
Replace with/ Apply Patch ================== ESXi500-201510101-SG

* Customers who have installed the complete set of ESXi 5.5 U3

Bulletins, please review VMware KB 2133118. KB 2133118 documents a known
non-security issue and provides a solution.

 

b. VMware vCenter Server JMX RMI Remote Code Execution

 

VMware vCenter Server contains a remotely accessible JMX RMI service that is
not securely configured. An unauthenticated remote attacker who is able
to connect to the service may be able to use it to execute arbitrary
code on the vCenter Server. A local attacker may be able to elevate
their privileges on vCenter Server.

 

vCenter Server Appliance (vCSA) 5.1, 5.5 and 6.0 has remote access to the JMX RMI service (port 9875) blocked by default.

 

VMware would like to thank Doug McLeod of 7 Elements Ltd and an anonymous
researcher working through HP's Zero Day Initiative for reporting this
issue to us.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-2342 to this issue.

 

CRITICAL UPDATE

 

VMSA-2015-0007.2 and earlier versions of this advisory documented that CVE-2015-2342 was addressed in vCenter Server 5.0 U3e, 5.1 U3b, and 5.5 U3. Subsequently, it was found that the fix for CVE-2015-2342 in vCenter Server 5.0 U3e, 5.1 U3b, and 5.5 U3/U3a/U3b running on Windows was incomplete and did
not address the issue.

 

In order to address the issue on these versions of vCenter Server Windows, an
additional patch must be installed. This additional patch is available
from VMware Knowledge Base (KB) article 2144428.

 

In case the Windows Firewall is enabled on the system that has vCenter
Server Windows installed, remote exploitation of CVE-2015-2342 is not
possible. Even if the Windows Firewall is enabled, users are advised to
install the additional patch in order to remove the local privilege
elevation.

 

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product =====
Product Version =====
Running on ======
Replace with/ Apply Patch ==================
VMware Product ===== VMware vCenter Server
Product Version ===== 6.0
Running on ====== Any
Replace with/ Apply Patch ================== 6.0.0b and above
VMware Product ===== VMware vCenter Server
Product Version ===== 5.5
Running on ====== Windows
Replace with/ Apply Patch ================== (5.5 U3/U3a/U3b + KB *) or 5.5 U3d
VMware Product ===== VMware vCenter Server
Product Version ===== 5.5
Running on ====== Linux
Replace with/ Apply Patch ================== 5.5 U3 and above
VMware Product ===== VMware vCenter Server
Product Version ===== 5.1
Running on ====== Windows
Replace with/ Apply Patch ================== (5.1 U3b + KB *) or 5.1 U3d
VMware Product ===== VMware vCenter Server
Product Version ===== 5.1
Running on ====== Linux
Replace with/ Apply Patch ================== 5.1 U3b
VMware Product ===== VMware vCenter Server
Product Version ===== 5.0
Running on ====== Windows
Replace with/ Apply Patch ================== (5.0 U3e + KB *) or 5.0 U3g
VMware Product ===== VMware vCenter Server
Product Version ===== 5.0
Running on ====== Linux
Replace with/ Apply Patch ================== 5.0 U3e

*An additional patch provided in VMware KB article 2144428 must be

installed on vCenter Server Windows 5.0 U3e, 5.1 U3b, 5.5 U3, 5.5 U3a,
and 5.5 U3b in order to remediate CVE-2015-2342.     

This patch is not needed when updating to 5.0 U3g, 5.1
U3d or 5.5 U3d, or when installing 5.0 U3g, 5.1 U3d or 5.5 U3d.

 

c. VMware vCenter Server vpxd denial-of-service vulnerability

 

VMware vCenter Server does not properly sanitize long
heartbeat messages. Exploitation of this issue may allow an
unauthenticated attacker to create a denial-of-service condition in the
vpxd service.

 

VMware would like to thank the Google Security Team for reporting this issue to us.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-1047 to this issue.

 

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

 

VMware Product =====
Product Version =====
Running on ======
Replace with/ Apply Patch ==================
VMware Product ===== VMware vCenter Server
Product Version ===== 6.0
Running on ====== Any
Replace with/ Apply Patch ================== not affected
VMware Product ===== VMware vCenter Server
Product Version ===== 5.5
Running on ====== Any
Replace with/ Apply Patch ================== 5.5u2
VMware Product ===== VMware vCenter Server
Product Version ===== 5.1
Running on ====== Any
Replace with/ Apply Patch ================== 5.1u3
VMware Product ===== VMware vCenter Server
Product Version ===== 5.0
Running on ====== Any
Replace with/ Apply Patch ================== 5.0u3e
4. Solution

 

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.


vCenter Server
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere

 

ESXi
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal

 

Documentation:
http://kb.vmware.com/kb/2110247
http://kb.vmware.com/kb/2114875
http://kb.vmware.com/kb/2120209

 

6. Change log

2015-10-01 VMSA-2015-0007
Initial security advisory in conjunction with ESXi 5.0,
5.1 patches and VMware vCenter Server 5.1 u3b, 5.0 u3e on 2015-10-01.

 

2015-10-06 VMSA-2015-0007.1
Updated security advisory in conjunction with the
release of ESXi 5.5 U3a on 2015-10-06. Added a note to section 3.a to
alert customers to a non-security issue in ESXi 5.5 U3 that is addressed
in ESXi 5.5 U3a.

 

2015-10-20 VMSA-2015-0007.2
Updated security advisory to reflect that CVE-2015-2342
is fixed in an earlier vCenter Server version (6.0.0b) than originally
reported (6.0 U1) and that the port required to exploit the
vulnerability is blocked in the appliance versions of the software (5.1
and above).

 

2016-02-12 VMSA-2015-0007.3
Updated security advisory to add that an additional
patch is required on vCenter Server 5.0 U3e, 5.1 U3b and 5.5 U3/U3a/U3b
running on Windows to remediate CVE-2015-2342.

 

2016-04-27 VMSA-2015-0007.4
Updated security advisory to add that vCenter Server 5.5
U3d running on Windows addresses CVE-2105-2342 without the need to
install the additional patch.


2016-05-24 VMSA-2015-0007.5
Updated security advisory to add that vCenter Server 5.1
U3d running on Windows addresses CVE-2105-2342 without the need to
install the additional patch.


2016-06-14 VMSA-2015-0007.6
Updated security advisory to add that vCenter Server 5.0
U3g running on Windows addresses CVE-2105-2342 without the need to
install the additional patch.

 

 

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

 

 security-announce at lists.vmware.com
 bugtraq at securityfocus.com
 fulldisclosure at seclists.org

 

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

 

VMware Security Advisories
http://www.vmware.com/security/advisories

 

Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735

 

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
 
Twitter
https://twitter.com/VMwareSRC

 

Copyright 2015 VMware Inc.  All rights reserved.

 

 

Sign up for Security Advisories

Enter your email address: