VMSA-2008-0005.1
Several critical security vulnerabilities have been addressed in the newest releases of VMware's hosted product line
VMware Security Advisory
CVE-2008-1362 CVE-2007-5269 CVE-2006-2940
CVE-2006-2937 CVE-2006-4343 CVE-2006-4339
CVE-2007-5618 CVE-2008-1364 CVE-2008-1363
CVE-2008-1340
1. Summary
Several critical security vulnerabilities have been addressed in the newest releases of VMware's hosted product line.
2. Relevant releases
VMware Workstation 6.0.2 and earlier
VMware Workstation 5.5.4 and earlier
VMware Player 2.0.2 and earlier
VMware Player 1.0.4 and earlier
VMware ACE 2.0.2 and earlier
VMware ACE 1.0.2 and earlier
VMware Server 1.0.4 and earlier
VMware Fusion 1.1.1 and earlier
3. Problem description
a. Host to guest shared folder (HGFS) traversal vulnerability
On Windows hosts, if you have configured a VMware host to guest shared folder (HGFS), it is possible for a program running in the guest to gain access to the host's file system and create or modify executable files in sensitive locations.
NOTE: VMware Server is not affected because it doesn't use host to guest shared folders. No versions of ESX Server, including ESX Server 3i, are affected by this vulnerability. Because ESX Server is based on a bare-metal hypervisor architecture and not a hosted architecture, and it doesn't include any shared folder abilities. Fusion and Linux based hosted products are unaffected.
VMware would like to thank CORE Security Technologies for working with us on this issue. This addresses advisory CORE-2007-0930.
The Common Vulnerabilities and exposures project (cve.mitre.org) has assigned the name CVE-2008-0923 to this issue.
Hosted products
---------------
VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846
b. Insecure named pipes
An internal security audit determined that a malicious Windows user could attain and exploit LocalSystem privileges by causing the authd process to connect to a named pipe that is opened and controlled by the malicious user.
The same internal security audit determined that a malicious Windows user could exploit an insecurely created named pipe object to escalate privileges or create a denial of service attack. In this situation, the malicious user could successfully impersonate authd and attain privileges under which Authd is executing.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-1361, CVE-2008-1362 to these issues.
Windows Hosted products
---------------
VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
c. Updated libpng library to version 1.2.22 to address various security vulnerabilities
Several flaws were discovered in the way libpng handled various PNG image chunks. An attacker could create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to crash when the file was manipulated.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5269 to this issue.
Hosted products
---------------
VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004) VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
NOTE: Fusion is not affected by this issue.
d. Updated OpenSSL library to address various security vulnerabilities
Updated OpenSSL fixes several security flaws were discovered in previous versions of OpenSSL.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to these issues: CVE-2006-2940, CVE-2006-2937, CVE-2006-4343, CVE-2006-4339.
Hosted products
---------------
VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
NOTE: Fusion is not affected by this issue.
e. VIX API default setting changed to a more secure default value
Workstation 6.0.2 allowed anonymous console access to the guest by means of the VIX API. This release, Workstation 6.0.3, disables this feature.
This means that the Eclipse Integrated Virtual Debugger and the Visual Studio Integrated Virtual Debugger will now prompt for user account credentials to access a guest.
Hosted products
---------------
VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
f. Windows 2000 based hosted products privilege escalation vulnerability
This release addresses a potential privilege escalation on Windows 2000 hosted products. Certain services may be improperly registered and present a security vulnerability to Windows 2000 machines.
VMware would like to thank Ray Hicken for reporting this issue and David Maciejak for originally pointing out these types of vulnerabilities.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5618 to this issue.
Windows versions of Hosted products
---------------
VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
NOTE: Fusion and Linux based products are not affected by this issue.
g. DHCP denial of service vulnerability
A potential denial of service issue affects DHCP service running on the host.
VMware would like to thank Martin O'Neal for reporting this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-1364 to this issue.
Hosted products
---------------
VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
VMware Fusion 1.1 upgrade to version 1.1.1 (Build# 72241)
NOTE: This issue doesn't affect the latest versions of VMware
Workstation 6, VMware Player 2, and ACE 2 products.
h. Local Privilege Escalation on Windows based platforms by Hijacking VMware VMX configuration file
VMware uses a configuration file named "config.ini" which is located in the application data directory of all users.
By manipulating this file, a user could gain elevated privileges by hijacking the VMware VMX process.
VMware would like to thank Sun Bing for reporting the issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-1363 to this issue.
Windows based Hosted products
---------------
VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
i. Virtual Machine Communication Interface (VMCI) memory corruption resulting in denial of service
VMCI was introduced in VMware Workstation 6.0, VMware Player 2.0, and VMware ACE 2.0. It is an experimental, optional feature and it may be possible to crash the host system by making specially crafted calls to the VMCI interface. This may result in denial of service via memory exhaustion and memory corruption.
VMware would like to thank Andrew Honig of the Department of Defense for reporting this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-1340 to this issue.
Hosted products
---------------
VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
VMware Fusion 1.1.1 upgrade to version 1.1.2 (Build# 87978)
4. Solution
Please review the Patch notes for your product and version and verify the md5sum of your downloaded file. >
VMware Workstation 6.0.3
------------------------
www.vmware.com/download/ws/
Release notes:
www.vmware.com/support/ws6/doc/releasenotes_ws6.html
Windows binary
md5sum: 323f054957066fae07735160b73b91e5
RPM Installation file for 32-bit Linux
md5sum: c44183ad11082f05593359efd220944e
tar Installation file for 32-bit Linux
md5sum: 57601f238106cb12c1dea303ad1b4820
RPM Installation file for 64-bit Linux
md5sum: e9ba644be4e39556724fa2901c5e94e9
tar Installation file for 64-bit Linux
md5sum: d8d423a76f99a94f598077d41685e9a9
VMware Workstation 5.5.5
------------------------
www.vmware.com/download/ws/ws5.html
Release notes:
www.vmware.com/support/ws55/doc/releasenotes_ws55.html
Windows binary
md5sum: 9c2dd94db5eed93d7f64e8d6ba8d8bd3
Compressed Tar archive for 32-bit Linux
md5sum: 77401c0842a151f0b2db0b4fcb0d16eb
Linux RPM version for 32-bit Linux
md5sum: c222b6db934deb9c1bb79b16b25a3202
VMware Server 1.0.5
-------------------
www.vmware.com/download/server/
Release notes:
www.vmware.com/support/server/doc/releasenotes_server.html
VMware Server for Windows 32-bit and 64-bit
md5sum: 3c4a57310c55e17bf8e4a1059d5b36cc
VMware Server Windows client package
md5sum: cb3dd2439203dc510f4d95f06ba59d21
VMware Server for Linux
md5sum: 161dcbe5af9bbd9834a86bf7c599903e
VMware Server for Linux rpm
md5sum: fc3b81ed18b53eda943a992971e9f84a
Management Interface
md5sum: dd10d25895d9994bd27ca896152f48ef
VMware Server Linux client package
md5sum: aae18f1f7b8811b5499e3a358754d4f8
VMware ACE 2.0.3 and 1.0.5
--------------------------
www.vmware.com/download/ace/
Windows Release notes:
www.vmware.com/support/ace2/doc/releasenotes_ace2.html
VMware Fusion 1.1.1
-------------------
www.vmware.com/download/fusion/
Release notes:
www.vmware.com/support/fusion/doc/releasenotes_fusion.html
md5sum: 38e116ec26b30e7a6ac47c249ef650d0
VMware Fusion 1.1.2
-------------------
www.vmware.com/download/fusion/
Release notes:
www.vmware.com/support/fusion/doc/releasenotes_fusion.html
md5sum: D15A3DFD3E7B11FC37AC684586086D2B
VMware Player 2.0.3 and 1.0.6
----------------------
www.vmware.com/download/player/
Release notes Player 1.x:
www.vmware.com/support/player/doc/releasenotes_player.html
Release notes Player 2.0
www.vmware.com/support/player2/doc/releasenotes_player2.html
2.0.3 Windows binary
md5sum: 0c5009d3b569687ae139e13d24c868d3
VMware Player 2.0.3 for Linux (.rpm)
md5sum: 53502b2112a863356dcd13dd0d8dd8f2
VMware Player 2.0.3 for Linux (.tar)
md5sum: 2305fcff49bef6e4ad83742412eac978
VMware Player 2.0.3 - 64-bit (.rpm)
md5sum: cf945b571c4d96146ede010286fdfca5
VMware Player 2.0.3 - 64-bit (.tar)
md5sum: f99c5b293eb87c5f918ad24111565b9f
1.0.6 Windows binary
md5sum: 895081406c4de5361a1700ec0473e49c
Player 1.0.6 for Linux (.rpm)
md5sum: 8adb23799dd2014be0b6d77243c76942
Player 1.0.6 for Linux (.tar)
md5sum: c358f8e1387fb60863077d6f8a9f7b3f
5. References
CVE numbers
cve.mitre.org/cgi-bin/cvename.cgi
cve.mitre.org/cgi-bin/cvename.cgi
cve.mitre.org/cgi-bin/cvename.cgi
cve.mitre.org/cgi-bin/cvename.cgi
cve.mitre.org/cgi-bin/cvename.cgi
cve.mitre.org/cgi-bin/cvename.cgi
cve.mitre.org/cgi-bin/cvename.cgi
cve.mitre.org/cgi-bin/cvename.cgi
cve.mitre.org/cgi-bin/cvename.cgi
cve.mitre.org/cgi-bin/cvename.cgi
cve.mitre.org/cgi-bin/cvename.cgi
cve.mitre.org/cgi-bin/cvename.cgi
6. Change log
2008-03-17 VMSA-2008-0005
Initial release
2008-04-24 VMSA-2008-0005.1
Added information for Fusion 1.1.2 released on 04/23/08 for item i.
7. Contact
E-mail list for product security notifications and announcements:
lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: kb.vmware.com/kb/1055
VMware Security Center
www.vmware.com/security
VMware security response policy
www.vmware.com/support/policies/security_response.html
General support life cycle policy
www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
www.vmware.com/support/policies/eos_vi.html