Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17052
HistoryMay 19, 2007 - 12:00 a.m.

VMSA-2007-0004.1 Updated: Multiple Denial-of-Service issues fixed and directory traversal vulnerability

2007-05-1900:00:00
vulners.com
21

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


               VMware Security Advisory

Advisory ID: VMSA-2007-0004.1
Synopsis: Updated: Multiple Denial-of-Service issues fixed
and directory traversal vulnerability
Issue date: 2007-05-04
Updated on: 2007-05-17
CVE numbers: CVE-2007-1069 CVE-2007-1337 CVE-2007-1877
CVE-2007-1876 CVE-2007-1744


  1. Summary:

Multiple Denial-of-Service issues fixed. A directory traversal
vulnerability is also addressed.

  1. Relevant releases:

VMware Workstation prior to 5.5.4
VMware Player prior to 1.0.4
VMware Server prior to 1.0.3
VMware ACE prior to 1.0.3
VMware ESX 3.0.1 without patches ESX-6856573, ESX-6431040,
ESX-6704314, ESX-5095559.
VMware ESX 3.0.0 without patches ESX-3496682, ESX-5754280,
ESX-1256636, ESX-7104553.
VMware ESX 2.5.4 prior to upgrade patch 8 (Build# 44671)
VMware ESX 2.5.3 prior to upgrade patch 11 (Build# 44672)
VMware ESX 2.1.3 prior to upgrade patch 6 (Build# 44407)
VMware ESX 2.0.2 prior to upgrade patch 6 (Build# 44406)

  1. Problem description:

Problems addressed by these patches:

a. Denial-of-Service on Windows based guest operating systems.

 Some VMware products managed memory in a way that failed to
 gracefully handle some general protection faults (GPFs) in Windows
 guest operating systems.

 A malicious user could use this vulnerability to crash Windows
 virtual machines.  While this vulnerability could allow an
 attacker to crash a virtual machine, we do not believe it was
 possible to escalate privileges or escape virtual containment.

 VMware thanks Ruben Santamarta of Reversemode for identifying and
 reporting this issue.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)
 assigned the name CVE-2007-1069 to this issue.

 ESX
 ---
 ESX Server 3.0.1 Download Patch Bundle ESX-6856573
 ESX Server 3.0.0 Download Patch Bundle ESX-3496682
 ESX 2.5.4 Upgrade Patch 8  (Build# 44671)
 ESX 2.5.3 Upgrade Patch 11 (Build# 44672)
 ESX 2.1.3 Upgrade Patch 6  (Build# 44407)
 ESX 2.0.2 Upgrade Patch 6  (Build# 44406)

 Hosted products
 ---------------
 VMware Workstation 5.5.4 (Build# 44386)
 VMware Player      1.0.4 (Build# 44386)
 VMware Server      1.0.3 (Build# 44356)
 VMware ACE         1.0.3 (Build# 44385)

b. Denial-of-Service using ACPI I/O ports

 Virtual machines can be put in various states of suspension, as
 specified by the ACPI power management standard. When returning
 from a sleep state (S2) to the run state (S0), the virtual machine
 process (VMX) collects information about the last recorded running
 state for the virtual machine.  Under some circumstances, VMX read
 state information from an incorrect memory location. This issue
 could be used to complete a successful Denial-of-Service attack
 where the virtual machine would need to be rebooted.

 Thanks to Tavis Ormandy of Google for identifying this issue.
 http://taviso.decsystem.org/virtsec.pdf

 The Common Vulnerabilities and Exposures project (cve.mitre.org)
 has assigned the name CVE-2007-1337 to this issue.

 ESX
 ---
 ESX 3.0.1 Download Patch Bundle ESX-6431040
 ESX 3.0.0 Download Patch Bundle ESX-5754280
 ESX 2.5.4 Upgrade Patch 8  (Build# 44671)
 ESX 2.5.3 Upgrade Patch 11 (Build# 44672)
 ESX 2.1.3 Upgrade Patch 6  (Build# 44407)
 ESX 2.0.2 Upgrade Patch 6  (Build# 44406)

 Hosted products
 ---------------
 VMware Workstation 5.5.4 (Build# 44386)
 VMware Player      1.0.4 (Build# 44386)
 VMware Server      1.0.3 (Build# 44356)
 VMware ACE         1.0.3 (Build# 44385)

c. Denial-of-Service using malformed configuration data

 Some VMware products support storing configuration information
 files. Under some circumstances, a malicious user could instruct
 the virtual machine process (VMX) to store malformed data, causing
 an error. This error could enable a successful Denial-of-Service
 attack on guest operating systems.

 VMware would like to thank Per-Fredrik Pollnow and Mikael Janers
 technical security consultants at SunGard iXsecurity.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)
 has assigned the name CVE-2007-1877 to this issue.

 ESX
 ---
 ESX 3.0.1 Download Patch Bundle ESX-6704314 and ESX-5095559
 ESX 3.0.0 Download Patch Bundle ESX-1256636 and ESX-7104553
 ESX 2.5.4 Upgrade Patch 8  (Build# 44671)
 ESX 2.5.3 Upgrade Patch 11 (Build# 44672)
 ESX 2.1.3 Upgrade Patch 6  (Build# 44407)
 ESX 2.0.2 Upgrade Patch 6  (Build# 44406)

 Hosted products
 ---------------
 VMware Workstation 5.5.4 (Build# 44386)
 VMware Player      1.0.4 (Build# 44386)
 VMware Server      1.0.3 (Build# 44356)
 VMware ACE         1.0.3 (Build# 44385)

d. Debugging local programs could create system instability

 In a 64-bit Windows guest on a 64-bit host, debugging local
 programs could create system instability. Using a debugger to step
 into a syscall instruction may corrupt the virtual machine's
 register context. This corruption produces unpredictable results
 including corrupted stack pointers, kernel bugchecks, or vmware-vmx
 process failures.

 Thanks to Ken Johnson for identifying this issue.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)
 has assigned the name CVE-2007-1876 to this issue.

 ESX
 ---
 ESX 3.0.1 Download Patch Bundle ESX-5095559
 ESX 3.0.0 Download Patch Bundle ESX-7104553

 NOTE: ESX 2.x doesn't support 64-bit guest operating systems

 Hosted products
 ---------------
 VMware Workstation 5.5.4 (Build# 44386)
 VMware Player      1.0.4 (Build# 44386)
 VMware Server      1.0.3 (Build# 44356)
 VMware ACE         1.0.3 (Build# 44385)

e. Directory traversal vulnerability in shared folders feature

 Shared Folders is a feature that enables users of guest operating
 systems to access a specified set of folders in the host's file
 system. A vulnerability was identified by Greg MacManus of iDefense
 Labs that could allow an attacker to write arbitrary content from a
 guest system to arbitrary locations on the host system. In order to
 exploit this vulnerability, the VMware system must have at least
 one folder shared. Although the Shared Folder feature is enabled by
 default, no folders are shared by default, which means this
 vulnerability is not exploitable by default.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)
 has assigned the name CVE-2007-1744 to this issue.

 Hosted products
 ---------------
 VMware Workstation 5.5.4 (Build# 44386)
 VMware Player      1.0.4 (Build# 44386)
 VMware Server      1.0.3 (Build# 44356)
 VMware ACE         1.0.3 (Build# 44385)

 NOTE: ESX doesn't use shared folders
  1. Solution:

Please review the Patch notes for your product and version and verify
the md5sum of your downloaded file.

ESX 3.0.1

ESX-6856573
http://www.vmware.com/support/vi3/doc/esx-6856573-patch.html
md5sum 16bb030929bb005fe26c09f637cb9cd8

ESX-6431040
http://www.vmware.com/support/vi3/doc/esx-6431040-patch.html
md5sum ef6bc745b3d556e0736fd39b8ddc8087

ESX-6704314
http://www.vmware.com/support/vi3/doc/esx-6704314-patch.html
md5sum 2470567517a64726b1c5929c59ed6134

ESX-5095559
http://www.vmware.com/support/vi3/doc/esx-5095559-patch.html
md5sum bcded4127598c22d47f06ab03366d2f8

ESX 3.0.0

ESX-3496682
http://www.vmware.com/support/vi3/doc/esx-3496682-patch.html
md5sum 929c6830a4cdc939b0b2a35e83e3b1ac

ESX-5754280
http://www.vmware.com/support/vi3/doc/esx-5754280-patch.html
md5sum 82b3c7e18dd1422f30c4aa9e477c6a27

ESX-1256636
http://www.vmware.com/support/vi3/doc/esx-1256636-patch.html
md5sum e7f0b1920bd2a609d1c3b18249717f2c

ESX-7104553
http://www.vmware.com/support/vi3/doc/esx-7104553-patch.html
md5sum 81c4f33331a4cbc565c1d9a44b1ea4fc

ESX 2.5.4
http://www.vmware.com/support/esx25/doc/esx-254-200704-patch.html
md5sum ef4d601c130c7a08176827252bc01152

ESX 2.5.3
http://www.vmware.com/support/esx25/doc/esx-253-200704-patch.html
md5sum be048c744cdcd71b3da92098efe06f08

ESX 2.1.3
http://www.vmware.com/support/esx21/doc/esx-213-200704-patch.html
md5sum 2dfc6aca32c77d673b0f7a1295ad7609

ESX 2.0.2
http://www.vmware.com/support/esx2/doc/esx-202-200704-patch.html
md5sum 0e997bd53d94dff2d9452e5679bd1b3c

Hosted products can be downloaded from the following locations:

VMware Workstation 5.5.4
http://www.vmware.com/download/ws/ws5.html

Note: VMware Workstation 6.0.0, is available. Anyone
considering a patch or upgrade may wish to plan for a move
directly to the VMware Workstation 6.0.0 release.

VMware Workstation 6.0.0
http://www.vmware.com/download/ws/

VMware Server 1.0.3
http://www.vmware.com/download/server/

VMware Player 1.0.4
http://www.vmware.com/download/player/

Note: VMware Player 2.0, is available. Anyone considering
a patch or upgrade may wish to plan for a move directly to
the VMware Player 2.0 release.

VMware ACE 1.0.3
http://www.vmware.com/download/ace/

Note: ACE 2, a major release of ACE, is available. Anyone
considering a patch or upgrade may wish to plan for a move
directly to the ACE 2.0 release.

  1. References:

CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1877
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1744

  1. Contact:

E-mail: [email protected]

http://www.vmware.com/security

VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html

Copyright 2007 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGThs/6KjQhy2pPmkRCET/AKCwGzT4gpeqzlOxBmsT2DOJZKhqiACfQKkF
Oq2SKMQOtGspeNVoTHbgpbs=
=IhB5
-----END PGP SIGNATURE-----

Related for SECURITYVULNS:DOC:17052