Headline
CVE-2010-4295: [Security-announce] VMSA-2010-0018 VMware hosted products and ESX patches resolve multiple security issues
Race condition in the mounting process in vmware-mount in VMware Workstation 7.x before 7.1.2 build 301548 on Linux, VMware Player 3.1.x before 3.1.2 build 301548 on Linux, VMware Server 2.0.2 on Linux, and VMware Fusion 3.1.x before 3.1.2 build 332101 allows host OS users to gain privileges via vectors involving temporary files.
VMware Security Announcements security-announce at lists.vmware.com
Thu Dec 2 22:53:35 PST 2010
- Previous message: [Security-announce] VMSA-2010-0017 VMware ESX third party update for Service Console kernel
- Next message: [Security-announce] VMSA-2010-0019 VMware ESX third party updates for Service Console
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
VMware Security Advisory
Advisory ID: VMSA-2010-0018 Synopsis: VMware hosted products and ESX patches resolve multiple security issues Issue date: 2010-12-02 Updated on: 2010-12-02 (initial release of advisory) CVE numbers: CVE-2010-4295 CVE-2010-4296 CVE-2010-4297 CVE-2010-4294
Summary
VMware hosted products and ESX patches resolve multiple security issues.
Relevant releases
VMware Workstation 7.1.1 and earlier, VMware Workstation 6.5.4 and earlier, VMware Player 3.1.1 and earlier, VMware Player 2.5.4 and earlier,
VMware Fusion 3.1.1 and earlier,
ESXi 4.1 without patch ESXi410-201010402-BG or later ESXi 4.0 without patch ESXi400-201009402-BG or later ESXi 3.5 without patch ESXe350-201008402-T-BG or later
ESX 4.1 without patch ESX410-201010405-BG ESX 4.0 without patch ESX400-201009401-SG ESX 3.5 without patch ESX350-201008409-BG
Note: VMware Server was declared End Of Availability on January 2010, support will be limited to Technical Guidance for the duration of the support term.
Problem Description
a. VMware Workstation, Player and Fusion vmware-mount race condition
The way temporary files are handled by the mounting process could
result in a race condition. This issue could allow a local user on
the host to elevate their privileges.
VMware Workstation and Player running on Microsoft Windows are not
affected.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-4295 to this issue.
VMware would like to thank Dan Rosenberg for reporting this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
Workstation 7.x Linux 7.1.2 Build 301548 or later
Workstation 7.x Windows not affected
Workstation 6.5.x any not affected
Player 3.1.x Linux 3.1.2 Build 301548 or later
Player 3.1.x Windows not affected
Player 2.5.x any not affected
AMS any any not affected
Server 2.0.2 Linux affected, no patch planned
Server 2.0.2 Windows not affected
Fusion 3.1.x Mac OS/X 3.1.2 Build 332101 or later
Fusion 2.x Mac OS/X not affected
ESXi any ESXi not affected
ESX any ESX not affected
b. VMware Workstation, Player and Fusion vmware-mount privilege escalation
vmware-mount which is a suid binary has a flaw in the way libraries
are loaded. This issue could allow local users on the host to
execute arbitrary shared object files with root privileges.
VMware Workstation and Player running on Microsoft Windows are not
affected.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-4296 to this issue.
VMware would like to thank Martin Carpenter for reporting this
issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
Workstation 7.x Linux 7.1.2 Build 301548 or later
Workstation 7.x Windows not affected
Workstation 6.5.x any not affected
Player 3.1.x Linux 3.1.2 Build 301548 or later
Player 3.1.x Windows not affected
Player 2.5.x any not affected
AMS any any not affected
Server 2.0.2 Linux affected, no patch planned
Server 2.0.2 Windows not affected
Fusion 3.1.x Mac OS/X 3.1.2 Build 332101
Fusion 2.x Mac OS/X not affected
ESXi any ESXi not affected
ESX any ESX not affected
c. OS Command Injection in VMware Tools update
A vulnerability in the input validation of VMware Tools update
allows for injection of commands. The issue could allow a user
on the host to execute commands on the guest operating system
with root privileges.
The issue can only be exploited if VMware Tools is not fully
up-to-date. Windows-based virtual machines are not affected.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-4297 to this issue.
VMware would like to thank Nahuel Grisolia of Bonsai Information
Security, http://www.bonsai-sec.com, for reporting this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
Workstation 7.x any 7.1.2 Build 301548 or later
Workstation 6.5.x any 6.5.5 Build 328052 or later
Player 3.1.x any 3.1.2 Build 301548 or later
Player 2.5.x any 2.5.5 Build 328052 or later
AMS any any not affected
Server 2.0.2 any affected, no patch planned
Fusion 3.1.x Mac OS/X 3.1.2 Build 332101
Fusion 2.x Mac OS/X 2.0.8 Build 328035
ESXi 4.1 ESXi ESXi410-201010402-BG
ESXi 4.0 ESXi ESXi400-201009402-BG
ESXi 3.5 ESXi ESXe350-201008402-T-BG \*\*
ESX 4.1 ESX ESX410-201010405-BG
ESX 4.0 ESX ESX400-201009401-SG
ESX 3.5 ESX ESX350-201008409-BG \*\*
ESX 3.0.3 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Fusion. ** Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only: - Install the relevant ESX patch. - Manually upgrade tools in the virtual machine (virtual machine users will not be prompted to upgrade tools). Note the VI Client may not show that the VMware tools is out of date in the summary tab.
d. VMware VMnc Codec frame decompression remote code execution
The VMware movie decoder contains the VMnc media codec that is
required to play back movies recorded with VMware Workstation,
VMware Player and VMware ACE, in any compatible media player. The
movie decoder is installed as part of VMware Workstation, VMware
Player and VMware ACE, or can be downloaded as a stand alone
package.
A function in the decoder frame decompression routine implicitly
trusts a size value. An attacker can utilize this to miscalculate
a destination pointer, leading to the corruption of a heap buffer,
and could allow for execution of arbitrary code with the privileges
of the user running an application utilizing the vulnerable codec.
For an attack to be successful the user must be tricked into
visiting a malicious web page or opening a malicious video file on
a system that has the vulnerable version of the VMnc codec installed.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-4294 to this issue.
VMware would like to thank Aaron Portnoy and Logan Brown of
TippingPoint DVLabs for reporting this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
Movie Decoder any Windows 7.1.2 Build 301548 or later
Movie Decoder any Windows 6.5.5 Build 328052 or later
Workstation 7.x Windows 7.1.2 Build 301548 or later
Workstation 7.x Linux not affected
Workstation 6.5.x Windows 6.5.5 build 328052 or later
Workstation 6.5.x Linux not affected
Player 3.x Windows 3.1.2 Build 301548 or later
Player 3.x Linux not affected
Player 2.5.x Windows 2.5.5 build 246459 or later
Player 2.5.x Linux not affected
AMS any any not affected
Server 2.x Window affected, no patch planned
Server 2.x Linux not affected
Fusion any Mac OS/X not affected
ESXi any ESXi not affected
ESX any ESX not affected
Solution Please review the patch/release notes for your product and version and verify the md5sum and/or the sha1sum of your downloaded file.
VMware Workstation Movie Decoder
Workstation 7.1.2 Movie Decoder md5sum: a4d761a21670c735d04abb89e674656e sha1sum: b66673c30f3b8b8fb18035d08a6255f478be875d
Workstation 6.5.5 Movie Decoder build 328052 md5sum: 1223bb57d97df39259be2c6c90a65ba6 sha1sum: 3ae7cdeeeebf6a716ec73f934077545945474ff6
VMware Workstation 7.1.3
http://www.vmware.com/download/ws/ Release notes: http://downloads.vmware.com/support/ws71/doc/releasenotes_ws713.html
Workstation for Windows 32-bit and 64-bit with VMware Tools md5sum: 7b9dc01bf733047a00711f5800df6107 sha1sum: 5f36117c64455f3dff3b7410a0bfc72e41905181
Workstation for Windows 32-bit and 64-bit without VMware Tools md5sum: d102006f7a3951dd58325f5b4e151abe sha1sum: ccfd70278d3c89b38776d656fa797ca8e9b28d55
Workstation 6.5.5
http://www.vmware.com/download/ws/ Release notes: http://downloads.vmware.com/support/ws65/doc/releasenotes_ws655.html
Workstation for Windows 32-bit and 64-bit md5sum: 7bff9b621529efb0de808a45e7821274 sha1sum: 41af7a9a78717cb85dd30b4d830e99fd5de49cc1
Workstation for Linux 32-bit (rpm) md5sum: 17c3f1a0e6ccf2b1e224a5d75c845a47 sha1sum: 3027b4e2215fae84fa9311f8cd762fee17e89df0
Workstation for Linux 32-bit (bundle) md5sum: 7c24811fb999204f144d8b9f50e9fcae sha1sum: 18a05e6f4f772b7f0563dbd17596b66d1db8e9fa
Workstation for Linux 64-bit (rpm) md5sum: c25c2535d8091c4d46701ed081347901 sha1sum: f4356bc224ea9805dac2d4b677f88a2f4220353e
Workstation for Linux 64-bit (bundle) md5sum: 7012bdaf182d256672ff2eb24b00a40f sha1sum: 58ecb2a494d4c7cc663e2028cf76c13d458fecac
VMware Player 3.1.3
http://www.vmware.com/download/player/ Release notes:
http://downloads.vmware.com/support/player31/doc/releasenotes_player313.html
VMware Player for Windows 32-bit and 64-bit
md5sum: bd66a0ab8ae87d5cfa32b8ff44f99d1f
sha1sum: 8ab358efc97a64639cce83766c35d43b0d662132
VMware Player for Linux 32-bit (bundle) md5sum: e5d0bf19a1908262f63a8f88df77f73e sha1sum: 4abb87d37706c47a86337ada1d23d390455e4931
VMware Player for Linux 64-bit (bundle) md5sum: 18e6aae025ee2ef9f10ce6d9271ce472 sha1sum: 6608bce64811be4480e667726aefefdc2b71e4e3
VMware Player 2.5.5
VMware Player 2.5.5 for Windows 32-bit and 64-bit md5sum: 780b2c4e2b1610dea3090b1cd81d5ad7 sha1sum: f6c451a11a4fe66e5a465de960de1358e83b8314
VMware Player 2.5.5 for Linux 32-bit (rpm) md5sum: 9e13ee3904bd2377ffb8cfa66460fe92 sha1sum: 2482acad19f6b23cf0c236d1ce87d4805b7b0e6c
VMware Player 2.5.5 for Linux 32-bit (bundle) MD5SUM: 46dcfe9343f688d60e249d9e9c3853a4 SHA1SUM: abfdeaf2cac83c630662607e7b95439367376abf
VMware Player 2.5.5 for Linux 64-bit (rpm) MD5SUM: 52d6dcdeed9e564c8cfe8c35cec885f0 SHA1SUM: dbaa6dac55f592b9c6b16d7505796a2580836f4b
VMware Player 2.5.5 for Linux 64-bit (bundle) md5sum: 6c9a677820010ccd20f829cb5d2c057b sha1sum: ff6eccba3125229e8adbc1cb96764c2f116d89c5
VMware Fusion
VMware Fusion 3.1.2 build 332101 md5sum: a809170c9bd55a102c007c20269c4729 sha1sum: bf56e0f873d8e0d67fd73fba5e597e0931083e03
VMware Fusion Lite 3.1.2 build 332101 md5sum: d7db517cb25320152723f8535c90dd16 sha1sum: 555d9bd03327731270acfc851ba15b28ef3f6720
VMware Fusion 2.0.8 (for Intel-based Macs) md5sum: 9951d3b7985c39c685d59eaa73fe267c sha1sum: 11463924b5a7f82161090416905774da45e1cd3e
VMware Fusion Lite 2.0.8 (for Intel-based Macs) md5sum: 0bee2ef0d0e9e543b2468ed9618e32c8 sha1sum: fa56bb7ea3493d07610051f92b9941305a436a2f
ESXi 4.1
ESXi410-201010001 Download link: https://hostupdate.vmware.com/software/VUM/OFFLINE/release-251-20101108-239087/ESXi410-201010001.zip md5sum: 05f1049c7a595481cd682e92fe8d3285 sha1sum: f6993c185f7d1cb971a4ae6e017e0246b8c25a76 http://kb.vmware.com/kb/1027753
Note ESXi410-201010001 contains the following security fix: ESXi410-201010402-BG
ESXi 4.0
ESXi400-201009001 Download link: https://hostupdate.vmware.com/software/VUM/OFFLINE/release-241-20100919-436526/ESXi400-201009001.zip md5sum: bfc1b78f14d970c556b828492f5920e1 sha1sum: a311a4af41aa1202bb6b156694bbc045c67df91a http://kb.vmware.com/kb/1025322
Note ESXi400-201009001 contains the following security fix: ESXi400-201009402-BG
ESXi 3.5
ESXe350-201008401-O-SG http://download3.vmware.com/software/vi/ESXe350-201008401-O-SG.zip md5sum:a2bb0afbc677ba847bedecb44dbdd4b3 http://kb.vmware.com/kb/1026139
Note ESXe350-201008401-O-SG contains the following security fix: ESXe350-201008402-T-BG
ESX 4.1
ESX410-201010001
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-252-20101109-182791/ESX410-201010001.zip md5sum: ff4435fd3c74764f064e047c6e5e7809 sha1sum:322981f4dbb9e5913c8f38684369444ff7e265b3 http://kb.vmware.com/kb/1027027
ESX410-201010001 contains the following security fix: ESX410-201010405-BG
ESX 4.0
ESX400-201009001
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-240-20100919-359479/ESX400-201009001.zip md5sum: 988c593b7a7abf0be5b72970ac64a369 sha1sum: 26d875955b01c19f4e56703216e135257c08836f http://kb.vmware.com/kb/1025321
ESX400-201009001 contains the following security fix: ESX400-201009401-SG
ESX 3.5
ESX350-201008409-BG http://download3.vmware.com/software/vi/ESX350-201008409-BG.zip md5sum: f2c4a4a53695057de25f095029d713fb http://kb.vmware.com/kb/1026133
References
CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4297 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4294
- Change log
2010-12-02 VMSA-2010-0018 Initial security advisory after release of Workstation 6.5.5, Player 2.5.5, Fusion 2.0.8 and Fusion 3.1.2 on 2010-12-02, ESX patches and Workstation 7.1.2 and 7.1.3 were released previously.
- Contact
E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center http://www.vmware.com/security
VMware Security Advisories http://www.vmware.com/security/advisories
VMware security response policy http://www.vmware.com/support/policies/security_response.html
General support life cycle policy http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html
Copyright 2010 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32)
iEYEARECAAYFAkz4k+0ACgkQS2KysvBH1xkwLQCfaxJEaZ/nBDWpl0Pz3a3jBib1 0g0AmwfzyLSLYGEGt0RqmlYUy4vgD2bv =SgRb -----END PGP SIGNATURE-----
- Previous message: [Security-announce] VMSA-2010-0017 VMware ESX third party update for Service Console kernel
- Next message: [Security-announce] VMSA-2010-0019 VMware ESX third party updates for Service Console
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Security-announce mailing list