SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware GSX Server Vendors:   VMware
VMware GSX Server Lets Local Users Execute Programs With Root Privileges
SecurityTracker Alert ID:  1007289
SecurityTracker URL:  http://securitytracker.com/id/1007289
CVE Reference:   CVE-2003-0631   (Links to External Site)
Updated:  Aug 4 2003
Original Entry Date:  Jul 24 2003
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.5.1 build 4968 and prior
Description:   A vulnerability was reported in VMware GSX Server. A local user can start an arbitrary application with root privileges. VMware Workstation is also affected.

It is reported that a local user can modify certain environment variables to cause an application to be started with root privileges when a virtual machine is launched. This can allow the local user to gain root access on the system.

Only the Linux platforms are affected, according to the report.

Impact:   A local user can execute an application with root privileges to gain root access on the system.
Solution:   The vendor has released a fix (GSX Server 2.5.1 patch 1), to be available shortly to supported customers at:

http://www.vmware.com/vmwarestore/newstore/download.jsp?ProductCode=GSX-LX-ESD

Upgrade instructions are available at:

http://www.vmware.com/support/gsx25/doc/upgrade_gsx.html

Vendor URL:  www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1039 (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any)

Message History:   None.


 Source Message Contents

Subject:  VMware GSX Server 2.5.1 / Workstation 4.0 (for Linux systems)


---825423385-571259872-1058998065=:25752
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.55.0307231609001.25752@mail.securityfocus.com>


David Mirza Ahmad
Symantec

PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
--
The battle for the past is for the future.
We must be the winners of the memory war.


-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



Description
- -----------

The following products have a vulnerability that can allow a
user of the host system to start an arbitrary program with
root privileges: 

VMware GSX Server 2.5.1 (for Linux systems) build 4968 and
earlier releases VMware Workstation 4.0 (for Linux systems)
and earlier releases  


Details/Impact
- --------------

By manipulating the VMware GSX Server and VMware Workstation
environment variables, a program such as a shell session with
root privileges could be started when a virtual machine is
launched. The user would then have full access to the host.

VMware strongly urges customers running GSX Server and
Workstation (for Linux systems) to upgrade as soon
as possible. 

Customers running any version of VMware GSX Server or
Workstation (for Windows operating systems) are not subject to
this vulnerability. 

Solution
- --------

To correct the vulnerability in VMware Workstation 4.0, VMware
has released the following: 

- - Workstation 4.0.1 

To correct the vulnerability in GSX Server 2.5.1, VMware will
release the following: 

- - GSX Server 2.5.1 patch 1 (for Linux systems) 

Details
- -----------
GSX Server 2.5.1 patch 1 (for Linux systems) 

VMware GSX Server customers with support services are entitled
to download and install this patched version. VMware strongly
urges customers running GSX Server (for Linux 
systems) to upgrade as soon as possible.

VMware GSX Server customers with support services are entitled
to download and install this patched version from 

http://www.vmware.com/vmwarestore/newstore/download.jsp?ProductCode=GSX-LX-ESD

This will be available soon. 

Upgrade instructions are at:
http://www.vmware.com/support/gsx25/doc/upgrade_gsx.html

- -----------
VMware Workstation 4.0.1 

VMware Workstation customers, if covered under the VMware Workstation Product
Upgrade Policy as described at:

http://www.vmware.com/vmwarestore/pricing.html

are entitled to download and install this updated version from

http://www.vmware.com/vmwarestore/newstore/download.jsp?ProductCode=WKST4-LX-ESD

This is available today. 

Upgrade instructions are at

http://www.vmware.com/support/ws4/doc/ws40_upgrade.html


Notes
- -----

* VMware wishes to thank Paul Szabo of the University of Sydney for alerting us
to this vulnerability.

His Web page is at: 
http://www.maths.usyd.edu.au:8000/u/psz/


* VMware has posted a knowledge base article that describes this problem:

http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1039

- -----------------
This document is clear signed with PGP.  

VMware has the PGP public key available at

http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1055

Some mail programs cause changes to mail messages and content,
which may result in an indication that the PGP signature for
this message is not valid.  This may also occur if this
message is forwarded through another email distribution list
that changes the "From" field.  Please try to save the message
into a file and then running PGP on it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)

iD8DBQE/HwWTLsZLrftG15MRAhXiAJ9vFcGCqKmTG+vzqXrHoiXbuTFNnACgwBwp
K3nnGqL48DDolgn8TFY6zSY=
=Dblu
-----END PGP SIGNATURE-----


---825423385-571259872-1058998065=:25752
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="GSX_WS_PR29113_Bugtraq_vulnerability_posting.asc"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.55.0307231607450.25752@mail.securityfocus.com>
Content-Description: 
Content-Disposition: ATTACHMENT; FILENAME="GSX_WS_PR29113_Bugtraq_vulnerability_posting.asc"

LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQ0NCkhhc2g6IFNI
QTENDQoNDQoNDQoNDQpEZXNjcmlwdGlvbg0NCi0gLS0tLS0tLS0tLS0NDQoN
DQpUaGUgZm9sbG93aW5nIHByb2R1Y3RzIGhhdmUgYSB2dWxuZXJhYmlsaXR5
IHRoYXQgY2FuIGFsbG93IGENDQp1c2VyIG9mIHRoZSBob3N0IHN5c3RlbSB0
byBzdGFydCBhbiBhcmJpdHJhcnkgcHJvZ3JhbSB3aXRoDQ0Kcm9vdCBwcml2
aWxlZ2VzOiANDQoNDQpWTXdhcmUgR1NYIFNlcnZlciAyLjUuMSAoZm9yIExp
bnV4IHN5c3RlbXMpIGJ1aWxkIDQ5NjggYW5kDQ0KZWFybGllciByZWxlYXNl
cyBWTXdhcmUgV29ya3N0YXRpb24gNC4wIChmb3IgTGludXggc3lzdGVtcykN
DQphbmQgZWFybGllciByZWxlYXNlcyAgDQ0KDQ0KDQ0KRGV0YWlscy9JbXBh
Y3QNDQotIC0tLS0tLS0tLS0tLS0tDQ0KDQ0KQnkgbWFuaXB1bGF0aW5nIHRo
ZSBWTXdhcmUgR1NYIFNlcnZlciBhbmQgVk13YXJlIFdvcmtzdGF0aW9uDQ0K
ZW52aXJvbm1lbnQgdmFyaWFibGVzLCBhIHByb2dyYW0gc3VjaCBhcyBhIHNo
ZWxsIHNlc3Npb24gd2l0aA0NCnJvb3QgcHJpdmlsZWdlcyBjb3VsZCBiZSBz
dGFydGVkIHdoZW4gYSB2aXJ0dWFsIG1hY2hpbmUgaXMNDQpsYXVuY2hlZC4g
VGhlIHVzZXIgd291bGQgdGhlbiBoYXZlIGZ1bGwgYWNjZXNzIHRvIHRoZSBo
b3N0Lg0NCg0NClZNd2FyZSBzdHJvbmdseSB1cmdlcyBjdXN0b21lcnMgcnVu
bmluZyBHU1ggU2VydmVyIGFuZA0NCldvcmtzdGF0aW9uIChmb3IgTGludXgg
c3lzdGVtcykgdG8gdXBncmFkZSBhcyBzb29uDQ0KYXMgcG9zc2libGUuIA0N
Cg0NCkN1c3RvbWVycyBydW5uaW5nIGFueSB2ZXJzaW9uIG9mIFZNd2FyZSBH
U1ggU2VydmVyIG9yDQ0KV29ya3N0YXRpb24gKGZvciBXaW5kb3dzIG9wZXJh
dGluZyBzeXN0ZW1zKSBhcmUgbm90IHN1YmplY3QgdG8NDQp0aGlzIHZ1bG5l
cmFiaWxpdHkuIA0NCg0NClNvbHV0aW9uDQ0KLSAtLS0tLS0tLQ0NCg0NClRv
IGNvcnJlY3QgdGhlIHZ1bG5lcmFiaWxpdHkgaW4gVk13YXJlIFdvcmtzdGF0
aW9uIDQuMCwgVk13YXJlDQ0KaGFzIHJlbGVhc2VkIHRoZSBmb2xsb3dpbmc6
IA0NCg0NCi0gLSBXb3Jrc3RhdGlvbiA0LjAuMSANDQoNDQpUbyBjb3JyZWN0
IHRoZSB2dWxuZXJhYmlsaXR5IGluIEdTWCBTZXJ2ZXIgMi41LjEsIFZNd2Fy
ZSB3aWxsDQ0KcmVsZWFzZSB0aGUgZm9sbG93aW5nOiANDQoNDQotIC0gR1NY
IFNlcnZlciAyLjUuMSBwYXRjaCAxIChmb3IgTGludXggc3lzdGVtcykgDQ0K
DQ0KRGV0YWlscw0NCi0gLS0tLS0tLS0tLS0NDQpHU1ggU2VydmVyIDIuNS4x
IHBhdGNoIDEgKGZvciBMaW51eCBzeXN0ZW1zKSANDQoNDQpWTXdhcmUgR1NY
IFNlcnZlciBjdXN0b21lcnMgd2l0aCBzdXBwb3J0IHNlcnZpY2VzIGFyZSBl
bnRpdGxlZA0NCnRvIGRvd25sb2FkIGFuZCBpbnN0YWxsIHRoaXMgcGF0Y2hl
ZCB2ZXJzaW9uLiBWTXdhcmUgc3Ryb25nbHkNDQp1cmdlcyBjdXN0b21lcnMg
cnVubmluZyBHU1ggU2VydmVyIChmb3IgTGludXggDQ0Kc3lzdGVtcykgdG8g
dXBncmFkZSBhcyBzb29uIGFzIHBvc3NpYmxlLg0NCg0NClZNd2FyZSBHU1gg
U2VydmVyIGN1c3RvbWVycyB3aXRoIHN1cHBvcnQgc2VydmljZXMgYXJlIGVu
dGl0bGVkDQ0KdG8gZG93bmxvYWQgYW5kIGluc3RhbGwgdGhpcyBwYXRjaGVk
IHZlcnNpb24gZnJvbSANDQoNDQpodHRwOi8vd3d3LnZtd2FyZS5jb20vdm13
YXJlc3RvcmUvbmV3c3RvcmUvZG93bmxvYWQuanNwP1Byb2R1Y3RDb2RlPUdT
WC1MWC1FU0QNDQoNDQpUaGlzIHdpbGwgYmUgYXZhaWxhYmxlIHNvb24uIA0N
Cg0NClVwZ3JhZGUgaW5zdHJ1Y3Rpb25zIGFyZSBhdDoNDQpodHRwOi8vd3d3
LnZtd2FyZS5jb20vc3VwcG9ydC9nc3gyNS9kb2MvdXBncmFkZV9nc3guaHRt
bA0NCg0NCi0gLS0tLS0tLS0tLS0NDQpWTXdhcmUgV29ya3N0YXRpb24gNC4w
LjEgDQ0KDQ0KVk13YXJlIFdvcmtzdGF0aW9uIGN1c3RvbWVycywgaWYgY292
ZXJlZCB1bmRlciB0aGUgVk13YXJlIFdvcmtzdGF0aW9uIFByb2R1Y3QNDQpV
cGdyYWRlIFBvbGljeSBhcyBkZXNjcmliZWQgYXQ6DQ0KDQ0KaHR0cDovL3d3
dy52bXdhcmUuY29tL3Ztd2FyZXN0b3JlL3ByaWNpbmcuaHRtbA0NCg0NCmFy
ZSBlbnRpdGxlZCB0byBkb3dubG9hZCBhbmQgaW5zdGFsbCB0aGlzIHVwZGF0
ZWQgdmVyc2lvbiBmcm9tDQ0KDQ0KaHR0cDovL3d3dy52bXdhcmUuY29tL3Zt
d2FyZXN0b3JlL25ld3N0b3JlL2Rvd25sb2FkLmpzcD9Qcm9kdWN0Q29kZT1X
S1NUNC1MWC1FU0QNDQoNDQpUaGlzIGlzIGF2YWlsYWJsZSB0b2RheS4gDQ0K
DQ0KVXBncmFkZSBpbnN0cnVjdGlvbnMgYXJlIGF0DQ0KDQ0KaHR0cDovL3d3
dy52bXdhcmUuY29tL3N1cHBvcnQvd3M0L2RvYy93czQwX3VwZ3JhZGUuaHRt
bA0NCg0NCg0NCk5vdGVzDQ0KLSAtLS0tLQ0NCg0NCiogVk13YXJlIHdpc2hl
cyB0byB0aGFuayBQYXVsIFN6YWJvIG9mIHRoZSBVbml2ZXJzaXR5IG9mIFN5
ZG5leSBmb3IgYWxlcnRpbmcgdXMNDQp0byB0aGlzIHZ1bG5lcmFiaWxpdHku
DQ0KDQ0KSGlzIFdlYiBwYWdlIGlzIGF0OiANDQpodHRwOi8vd3d3Lm1hdGhz
LnVzeWQuZWR1LmF1OjgwMDAvdS9wc3ovDQ0KDQ0KDQ0KKiBWTXdhcmUgaGFz
IHBvc3RlZCBhIGtub3dsZWRnZSBiYXNlIGFydGljbGUgdGhhdCBkZXNjcmli
ZXMgdGhpcyBwcm9ibGVtOg0NCg0NCmh0dHA6Ly93d3cudm13YXJlLmNvbS9z
dXBwb3J0L2tiL2VuZHVzZXIvc3RkX2FkcC5waHA/cF9mYXFpZD0xMDM5DQ0K
DQ0KLSAtLS0tLS0tLS0tLS0tLS0tLQ0NClRoaXMgZG9jdW1lbnQgaXMgY2xl
YXIgc2lnbmVkIHdpdGggUEdQLiAgDQ0KDQ0KVk13YXJlIGhhcyB0aGUgUEdQ
IHB1YmxpYyBrZXkgYXZhaWxhYmxlIGF0DQ0KDQ0KaHR0cDovL3d3dy52bXdh
cmUuY29tL3N1cHBvcnQva2IvZW5kdXNlci9zdGRfYWRwLnBocD9wX2ZhcWlk
PTEwNTUNDQoNDQpTb21lIG1haWwgcHJvZ3JhbXMgY2F1c2UgY2hhbmdlcyB0
byBtYWlsIG1lc3NhZ2VzIGFuZCBjb250ZW50LA0NCndoaWNoIG1heSByZXN1
bHQgaW4gYW4gaW5kaWNhdGlvbiB0aGF0IHRoZSBQR1Agc2lnbmF0dXJlIGZv
cg0NCnRoaXMgbWVzc2FnZSBpcyBub3QgdmFsaWQuICBUaGlzIG1heSBhbHNv
IG9jY3VyIGlmIHRoaXMNDQptZXNzYWdlIGlzIGZvcndhcmRlZCB0aHJvdWdo
IGFub3RoZXIgZW1haWwgZGlzdHJpYnV0aW9uIGxpc3QNDQp0aGF0IGNoYW5n
ZXMgdGhlICJGcm9tIiBmaWVsZC4gIFBsZWFzZSB0cnkgdG8gc2F2ZSB0aGUg
bWVzc2FnZQ0NCmludG8gYSBmaWxlIGFuZCB0aGVuIHJ1bm5pbmcgUEdQIG9u
IGl0Lg0NCi0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tDQ0KVmVyc2lv
bjogR251UEcgdjEuMi4yIChNaW5nVzMyKQ0NCg0NCmlEOERCUUUvSHdXVExz
WkxyZnRHMTVNUkFoWGlBSjl2RmNHQ3FLbVRHK3Z6cVhySG9pWGJ1VEZObkFD
Z3dCd3ANDQpLM25uR3FMNDhERG9sZ244VEZZNnpTWT0NDQo9RGJsdQ0NCi0t
LS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ0NCg==

---825423385-571259872-1058998065=:25752--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC