SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware ESXi Vendors:   VMware
VMware ESX Server Double Free Error May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017875
SecurityTracker URL:  http://securitytracker.com/id/1017875
CVE Reference:   CVE-2007-1270, CVE-2007-1271   (Links to External Site)
Date:  Apr 5 2007
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.0.0, 3.0.1
Description:   A vulnerability was reported in VMware ESX Server. A remote user can execute arbitrary code on the target system. A local user can obtain elevated privileges on the target system.

A remote user can send specially crafted data to trigger a double free error and potentially execute arbitrary code on the target system [CVE-2007-1270]. The code will run with the privileges of the target service.

A local user can trigger a buffer overflow to potentially execute arbitrary code on the target system or cause the target application to crash [CVE-2007-1271].

These vulnerabilities were discovered by the vendor during an internal security audit.

Impact:   A remote user can execute arbitrary code on the target system.

A local user can obtain elevated privileges on the target system.

Solution:   The vendor has issued the following patch bundles:

ESX 301 Download Patch Bundle ESX-6431040:

http://www.vmware.com/support/vi3/doc/esx-6431040-patch.html
md5sum ef6bc745b3d556e0736fd39b8ddc8087

ESX 300 Download Patch Bundle ESX-5754280:

http://www.vmware.com/support/vi3/doc/esx-5754280-patch.html
md5sum 82b3c7e18dd1422f30c4aa9e477c6a27

The VMware advisory is available at:

http://kb.vmware.com/kb/6431040

Vendor URL:  kb.vmware.com/kb/6431040 (Links to External Site)
Cause:   Boundary error, State error

Message History:   None.


 Source Message Contents

Subject:  VMSA-2007-0003 VMware ESX 3.0.1 and 3.0.0 server security updates

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2007-0003
Synopsis:          VMware ESX 3.0.1 and 3.0.0 server security updates
Issue date:        2007-04-02
Updated on:        2007-04-02
CVE numbers:       CVE-2005-3011 CVE-2006-4810 CVE-2007-1270
                   CVE-2007-1271 CVE-2005-2096 CVE-2005-1849
                   CVE-2003-0107 CVE-2005-1704
- -------------------------------------------------------------------

1. Summary:

ESX 3.0.1 and 3.0.0 patches address several security issues.

2. Relevant releases:

VMware ESX 3.0.1 without patches ESX-2559638, ESX-1161870, ESX-3416571,
ESX-5011126, ESX-7737432, ESX-7780490, ESX-8174018, ESX-8852210,
ESX-9617902,
ESX-9916286

VMware ESX 3.0.0 without patches ESX-1121906, ESX-131737, ESX-1870154,
ESX-392718, ESX-4197945, ESX-4921691, ESX-5752668, ESX-7052426, ESX-3616065

3. Problem description:

Problems addressed by these patches:

a.   texinfo service console update

     Updated texinfo packages for the service console fix two security
     vulnerabilities are now available.  A buffer overflow in the the
     program texinfo could allow local user to execute arbitrary code in
     the service console via a crafted texinfo file.  And could allow a
     local user to overwrite arbitrary files via a symlink attack on
     temporary files.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the names CVE-2005-3011 and CVE-2006-4810 to these
     issues.

     ESX 301 Download Patch ESX-2559638
     ESX 300 Download Patch ESX-1121906

b.   This bundle is a group of patches to resolve two possible security
issues.

     They are as follows:
     A VMware internal security audit revealed a double free condition.
     It may be possible for an attacker to influence the operation of
     the system. In most circumstances, this influence will be limited
     to denial of service or information leakage, but it is
     theoretically possible for an attacker to insert arbitrary code
     into a running program. This code would be executed with the
     permissions of the vulnerable program.  There are no known exploits
     for this issue.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2007-1270 to this issue.

     A VMware internal security audit revealed a potential buffer
     overflow condition. There are no known vulnerabilities, but such
     vulnerabilities may be used to elevate privileges or to crash the
     application and thus cause a denial of service.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2007-1271 to this issue.

     The following patches are contained within this bundle:

     ESX 301                      ESX 300
     -------                     --------
     ESX-1161870                  ESX-131737
     ESX-3416571                  ESX-1870154
     ESX-5011126                  ESX-392718
     ESX-7737432                  ESX-4197945
     ESX-7780490                  ESX-4921691
     ESX-8174018                  ESX-5752668
     ESX-8852210                  ESX-7052426
     ESX-9617902                  ESX-9976400

     ESX 301 Download Patch Bundle ESX-6431040
     ESX 300 Download Patch Bundle ESX-5754280

c.   This patch updates internally used zlib libraries in order to
     address potential security issues with older versions of this
     library.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the names CVE-2005-2096, CVE-2005-1849, CVE-2003-0107
     to these issues.

     ESX 301 Download Patch ESX-9916286
     ESX 300 Download Patch ESX-3616065

d.  binutils service console update

     NOTE: This vulnerability and update only apply to ESX 3.0.0.

     A integer overflow in the Binary File Descriptor (BFD) library for
     the GNU Debugger before version 6.3, binutils, elfutils, and
     possibly other packages, allows user-assisted attackers to execute
     arbitrary code via a crafted object file that specifies a large
     number of section headers, leading to a heap-based buffer overflow.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2005-1704 to this issue.

     ESX 300 Download Patch ESX-55052

4. Solution:

Please review the Patch notes for your version of ESX and verify the
md5sum of your downloaded file.

  ESX 3.0.1
  http://www.vmware.com/support/vi3/doc/esx-2559638-patch.html
  md5sum 9ee9d9769dfe2668aa6a4be2df284ea6

  http://www.vmware.com/support/vi3/doc/esx-6431040-patch.html
  md5sum ef6bc745b3d556e0736fd39b8ddc8087

  http://www.vmware.com/support/vi3/doc/esx-9916286-patch.html
  md5sum 7b98cfe1b2e0613c368d4080dcacccb8

  ESX 3.0.0
  http://www.vmware.com/support/vi3/doc/esx-55052-patch.html
  md5sum 8d45e36ec997707ebe68d84841026fef

  http://www.vmware.com/support/vi3/doc/esx-1121906-patch.html
  md5sum 02c5bcccea156dd0db93177e5e3fab8b

  http://www.vmware.com/support/vi3/doc/esx-3616065-patch.html
  md5sum 90e4face2edaab07080531a37a49ec01

  http://www.vmware.com/support/vi3/doc/esx-5754280-patch.html
  md5sum 82b3c7e18dd1422f30c4aa9e477c6a27

5. References:

  ESX 3.0.1

Patch URL:http://www.vmware.com/support/vi3/doc/esx-2559638-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-6431040-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-9916286-patch.html
Knowledge base URL:http://kb.vmware.com/kb/2559638
Knowledge base URL:http://kb.vmware.com/kb/6431040
Knowledge base URL:http://kb.vmware.com/kb/9916286

  ESX 3.0.0

Patch URL:http://www.vmware.com/support/vi3/doc/esx-55052-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-1121906-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-3616065-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-5754280-patch.html
Knowledge base URL:http://kb.vmware.com/kb/55052
Knowledge base URL:http://kb.vmware.com/kb/1121906
Knowledge base URL:http://kb.vmware.com/kb/3616065
Knowledge base URL:http://kb.vmware.com/kb/55052


  CVE numbers

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4810
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1270
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1704

6. Contact:

http://www.vmware.com/security

VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html

E-mail:  security@vmware.com

Copyright 2007 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGFAiH6KjQhy2pPmkRCDhvAJ9IdzXG4Ino7NGYPnRvW5ZLFMdhRgCgk1Rr
bGpwMyFZk0OMLWyA/L8PODQ=
=MjIU
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC