SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   VMware Vendors:   VMware, Inc.
VMware Virtual Machine Communication Interface Memory Corruption Flaw Lets Local Users Deny Service
SecurityTracker Alert ID:  1019624
SecurityTracker URL:  http://securitytracker.com/id/1019624
CVE Reference:   CVE-2008-1340   (Links to External Site)
Updated:  Apr 25 2008
Original Entry Date:  Mar 18 2008
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): VMware Workstation 6.0; VMware Player 2.0; VMware ACE 2.0; VMware Fusion 1.1.1
Description:   A vulnerability was reported in VMware in the Virtual Machine Communication Interface. A local user can cause denial of service conditions.

A local user can make a specially crafted call to the Virtual Machine Communication Interface (VMCI) to consume excessive memory or corrupt memory and crash the host system.

Andrew Honig of the U.S. Department of Defense reported this vulnerability.

Impact:   A local user can cause the target host system.
Solution:   The vendor has issued the following fixes.

VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
VMware Player 2.0 upgrade to version 2.0.3 (Build# 80004)
VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
VMware Fusion 1.1.1 upgrade to version 1.1.2 (Build# 87978)

The vendor's advisory is available at:

http://www.vmware.com/security/advisories/VMSA-2008-0005.html

[Editor's note: On April 24, 2008, VMware updated the advisory to indicate that VMware Fusion is affected and that the above listed VMware Fusion fix is available.]

Vendor URL:  www.vmware.com/security/advisories/VMSA-2008-0005.html (Links to External Site)
Cause:   Exception handling error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Mon, 17 Mar 2008 19:04:22 -0700
Subject:  [Security-announce] VMSA-2008-0005 Updated VMware Workstation,

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
~                   VMware Security Advisory

Advisory ID:       VMSA-2008-0005
Synopsis:          Updated VMware Workstation, VMware Player, VMware
~                   Server, VMware ACE, and VMware Fusion resolve
~                   critical security issues
Issue date:        2008-03-17
Updated on:        2008-03-17 (initial release of advisory)
CVE numbers:       CVE-2008-0923 CVE-2008-0923 CVE-2008-1361
~                   CVE-2008-1362 CVE-2007-5269 CVE-2006-2940
~                   CVE-2006-2937 CVE-2006-4343 CVE-2006-4339
~                   CVE-2007-5618 CVE-2008-1364 CVE-2008-1363
~                   CVE-2008-1340
- -------------------------------------------------------------------

1. Summary:

~   Several critical security vulnerabilities have been addressed
~   in the newest releases of VMware's hosted product line.

2. Relevant releases:

~   VMware Workstation 6.0.2 and earlier
~   VMware Workstation 5.5.4 and earlier
~   VMware Player 2.0.2 and earlier
~   VMware Player 1.0.4 and earlier
~   VMware ACE 2.0.2 and earlier
~   VMware ACE 1.0.2 and earlier
~   VMware Server 1.0.4 and earlier
~   VMware Fusion 1.1 and earlier

3. Problem description:

~ a.  Host to guest shared folder (HGFS) traversal vulnerability

~     On Windows hosts, if you have configured a VMware host to guest
~     shared folder (HGFS), it is possible for a program running in the
~     guest to gain access to the host's file system and create or modify
~     executable files in sensitive locations.

NOTE: VMware Server is not affected because it doesn't use host to
~      guest shared folders.  No versions of ESX Server, including
~      ESX Server 3i, are affected by this vulnerability.  Because
~      ESX Server is based on a bare-metal hypervisor architecture
~      and not a hosted architecture, and it doesn't include any
~      shared folder abilities.  Fusion and Linux based hosted
~      products are unaffected.

~     VMware would like to thank CORE Security Technologies for
~     working with us on this issue.  This addresses advisory
~     CORE-2007-0930.

~     The Common Vulnerabilities and Exposures project (cve.mitre.org)
~     has assigned the name CVE-2008-0923 to this issue.

~     Hosted products
~     ---------------
~     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
~     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
~     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
~     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

~ b.  Insecure named pipes

~     An internal security audit determined that a malicious Windows
~     user could attain and exploit LocalSystem privileges by causing
~     the authd process to connect to a named pipe that is opened and
~     controlled by the malicious user.

~     The same internal security audit determined that a malicious
~     Windows user could exploit an insecurely created named pipe
~     object to escalate privileges or create a denial of service
~     attack.  In this situation, the malicious user could
~     successfully impersonate authd and attain privileges under
~     which Authd is executing.

~     The Common Vulnerabilities and Exposures project (cve.mitre.org)
~     has assigned the names CVE-2008-1361, CVE-2008-1362 to these
~     issues.

~     Windows Hosted products
~     ---------------
~     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
~     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
~     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
~     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
~     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

~ c.  Updated libpng library to version 1.2.22 to address various
~     security vulnerabilities

~     Several flaws were discovered in the way libpng handled various PNG
~     image chunks. An attacker could create a carefully crafted PNG
~     image file in such a way that it could cause an application linked
~     with libpng to crash when the file was manipulated.

~     The Common Vulnerabilities and Exposures project (cve.mitre.org)
~     has assigned the name CVE-2007-5269 to this issue.

~     Hosted products
~     ---------------
~     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
~     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
~     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
~     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
~     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

~     NOTE: Fusion is not affected by this issue.

~ d.  Updated OpenSSL library to address various security vulnerabilities

~     Updated OpenSSL fixes several security flaws were discovered
~     in previous versions of OpenSSL.

~     The Common Vulnerabilities and Exposures project (cve.mitre.org)
~     assigned the following names to these issues: CVE-2006-2940,
~     CVE-2006-2937, CVE-2006-4343, CVE-2006-4339.

~     Hosted products
~     ---------------
~     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
~     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
~     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
~     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
~     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

~     NOTE: Fusion is not affected by this issue.

~ e.  VIX API default setting changed to a more secure default value

~     Workstation 6.0.2 allowed anonymous console access to the guest by
~     means of the VIX API. This release, Workstation 6.0.3, disables
~     this feature. This means that the Eclipse Integrated Virtual
~     Debugger and the Visual Studio Integrated Virtual Debugger will now
~     prompt for user account credentials to access a guest.

~     Hosted products
~     ---------------
~     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
~     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)

~ f.  Windows 2000 based hosted products privilege escalation
~     vulnerability

~     This release addresses a potential privilege escalation on
~     Windows 2000 hosted products.  Certain services may be improperly
~     registered and present a security vulnerability to Windows 2000
~     machines.

~     VMware would like to thank Ray Hicken for reporting this issue and
~     David Maciejak for originally pointing out these types of
~     vulnerabilities.

~     The Common Vulnerabilities and Exposures project (cve.mitre.org)
~     assigned the name CVE-2007-5618 to this issue.

~     Windows versions of Hosted products
~     ---------------
~     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
~     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
~     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
~     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
~     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

~     NOTE: Fusion and Linux based products are not affected by this
~           issue.

~ g.  DHCP denial of service vulnerability

~     A potential denial of service issue affects DHCP service running
~     on the host.

~     VMware would like to thank Martin O'Neal for reporting this issue.

~     The Common Vulnerabilities and Exposures project (cve.mitre.org)
~     assigned the name CVE-2008-1364 to this issue.

~     Hosted products
~     ---------------
~     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
~     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
~     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)
~     VMware Fusion      1.1 upgrade to version 1.1.1 (Build# 72241)

~     NOTE: This issue doesn't affect the latest versions of VMware
~           Workstation 6, VMware Player 2, and ACE 2 products.

~ h.  Local Privilege Escalation on Windows based platforms by
~     Hijacking VMware VMX configuration file

~     VMware uses a configuration file named "config.ini" which
~     is located in the application data directory of all users.
~     By manipulating this file, a user could gain elevated
~     privileges by hijacking the VMware VMX process.

~     VMware would like to thank Sun Bing for reporting the issue.

~     The Common Vulnerabilities and Exposures project (cve.mitre.org)
~     assigned the name CVE-2008-1363 to this issue.

~     Windows based Hosted products
~     ---------------
~     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~     VMware Workstation 5.5 upgrade to version 5.5.6 (Build# 80404)
~     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
~     VMware Player      1.0 upgrade to version 1.0.6 (Build# 80404)
~     VMware Server      1.0 upgrade to version 1.0.5 (Build# 80187)
~     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)
~     VMware ACE         1.0 upgrade to version 1.0.5 (Build# 79846)

~ i.  Virtual Machine Communication Interface (VMCI) memory corruption
~     resulting in denial of service

~     VMCI was introduced in VMware Workstation 6.0, VMware Player 2.0,
~     and VMware ACE 2.0.  It is an experimental, optional feature and
~     it may be possible to crash the host system by making specially
~     crafted calls to the VMCI interface.  This may result in denial
~     of service via memory exhaustion and memory corruption.

~     VMware would like to thank Andrew Honig of the Department of
~     Defense for reporting this issue.

~     The Common Vulnerabilities and Exposures project (cve.mitre.org)
~     assigned the name CVE-2008-1340 to this issue.

~     Hosted products
~     ---------------
~     VMware Workstation 6.0 upgrade to version 6.0.3 (Build# 80004)
~     VMware Player      2.0 upgrade to version 2.0.3 (Build# 80004)
~     VMware ACE         2.0 upgrade to version 2.0.1 (Build# 80004)

4. Solution:

Please review the Patch notes for your product and version and verify
the md5sum of your downloaded file.

~  VMware Workstation 6.0.3
~  ------------------------
~  http://www.vmware.com/download/ws/
~  Release notes:
~  http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
~  Windows binary
~  md5sum:  323f054957066fae07735160b73b91e5
~  RPM Installation file for 32-bit Linux
~  md5sum:  c44183ad11082f05593359efd220944e
~  tar Installation file for 32-bit Linux
~  md5sum:  57601f238106cb12c1dea303ad1b4820
~  RPM Installation file for 64-bit Linux
~  md5sum:  e9ba644be4e39556724fa2901c5e94e9
~  tar Installation file for 64-bit Linux
~  md5sum:  d8d423a76f99a94f598077d41685e9a9

~  VMware Workstation 5.5.5
~  ------------------------
~  http://www.vmware.com/download/ws/ws5.html
~  Release notes:
~  http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html
~  Windows binary
~  md5sum:  9c2dd94db5eed93d7f64e8d6ba8d8bd3
~  Compressed Tar archive for 32-bit Linux
~  md5sum:  77401c0842a151f0b2db0b4fcb0d16eb
~  Linux RPM version for 32-bit Linux
~  md5sum:  c222b6db934deb9c1bb79b16b25a3202

~  VMware Server 1.0.5
~  -------------------
~  http://www.vmware.com/download/server/
~  Release notes:
~  http://www.vmware.com/support/server/doc/releasenotes_server.html
~  VMware Server for Windows 32-bit and 64-bit
~  md5sum:  3c4a57310c55e17bf8e4a1059d5b36cc
~  VMware Server Windows client package
~  md5sum:  cb3dd2439203dc510f4d95f06ba59d21
~  VMware Server for Linux
~  md5sum:  161dcbe5af9bbd9834a86bf7c599903e
~  VMware Server for Linux rpm
~  md5sum:  fc3b81ed18b53eda943a992971e9f84a
~  Management Interface
~  md5sum:  dd10d25895d9994bd27ca896152f48ef
~  VMware Server Linux client package
~  md5sum:  aae18f1f7b8811b5499e3a358754d4f8

~  VMware ACE 2.0.3 and 1.0.5
~  --------------------------
~  http://www.vmware.com/download/ace/
~  Windows Release notes:
~  http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html

~  VMware Fusion 1.1.1
~  -------------------
~  http://www.vmware.com/download/fusion/
~  Release notes:
~  http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html
~  md5sum:  38e116ec26b30e7a6ac47c249ef650d0

~  VMware Player 2.0.3 and 1.0.6
~  ----------------------
~  http://www.vmware.com/download/player/
~  Release notes Player 1.x:
~  http://www.vmware.com/support/player/doc/releasenotes_player.html
~  Release notes Player 2.0
~  http://www.vmware.com/support/player2/doc/releasenotes_player2.html
~  2.0.3 Windows binary
~  md5sum:  0c5009d3b569687ae139e13d24c868d3
~  VMware Player 2.0.3 for Linux (.rpm)
~  md5sum:  53502b2112a863356dcd13dd0d8dd8f2
~  VMware Player 2.0.3 for Linux (.tar)
~  md5sum:  2305fcff49bef6e4ad83742412eac978
~  VMware Player 2.0.3 - 64-bit (.rpm)
~  md5sum:  cf945b571c4d96146ede010286fdfca5
~  VMware Player 2.0.3 - 64-bit (.tar)
~  md5sum:  f99c5b293eb87c5f918ad24111565b9f
~  1.0.6 Windows binary
~  md5sum:  895081406c4de5361a1700ec0473e49c
~  Player 1.0.6 for Linux (.rpm)
~  md5sum:  8adb23799dd2014be0b6d77243c76942
~  Player 1.0.6 for Linux (.tar)
~  md5sum:  c358f8e1387fb60863077d6f8a9f7b3f

5. References:

~   CVE numbers
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0923
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1361
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1362
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5618
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1364
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1363
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1340

- -------------------------------------------------------------------
6. Contact:

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

~  * security-announce@lists.vmware.com
~  * bugtraq@securityfocus.com
~  * full-disclosure@lists.grok.org.uk

E-mail:  security@vmware.com

Security web site
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFH3yMbS2KysvBH1xkRCG+XAJ9Roujx0tsYgRmLSJ6VTZhBdqDC2QCdH76x
rtgtuBQk9sLrmz1eY4Em0ug=
=iWQw
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC