SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware ESXi Vendors:   VMware
(VMware Issues Fix for ESX Server) PCRE Regex Processing Bugs May Let Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019860
SecurityTracker URL:  http://securitytracker.com/id/1019860
CVE Reference:   CVE-2007-1659   (Links to External Site)
Date:  Apr 16 2008
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.5
Description:   Two vulnerabilities were reported in PCRE. A local or remote user can execute arbitrary code on the target system. VMware ESX Server is affected.

A remote or local user may be able to supply a specially crafted regular expression to trigger a memory in PCRE.

The impact depends on the application that uses the library. Applications that parse untrusted regular expressions may be vulnerable.

Unmatched \Q\E sequences with orphan \E codes can cause code execution [CVE-2007-1659].

Certain character classes can trigger code execution [CVE-2007-1660].

Tavis Ormandy reported these vulnerabilities.

Impact:   A local or remote user can execute arbitrary code on the target system.
Solution:   VMware has issued a fix for ESX for CVE-2007-1659, which is affected by this vulnerability.

ESX 3.5 patch ESX350-200803214-UG
http://download3.vmware.com/software/esx/ESX350-200803214-UG.zip
md5sum: 9ff7b416afed3acfbfbb5d1d63ca5060
http://kb.vmware.com/kb/1003721

Cause:   Access control error, State error

Message History:   This archive entry is a follow-up to the message listed below.
Nov 6 2007 PCRE Regex Processing Bugs May Let Users Execute Arbitrary Code



 Source Message Contents

Subject:  [Security-announce] VMSA-2008-0007 Moderate Updated Service Console


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
~                   VMware Security Advisory

Advisory ID:       VMSA-2008-0007
Synopsis:          Moderate Updated Service Console packages pcre
~                   net-snmp, and OpenPegasus
Issue date:        2008-04-15
Updated on:        2008-04-15 (initial release of advisory)
CVE numbers:       CVE-2006-7228 CVE-2007-1660 CVE-2007-5846
~                   CVE-2008-0003
- -------------------------------------------------------------------

1. Summary:

~   Updated Service Console packages for pcre, net-snmp, and OpenPegasus

2. Relevant releases:

~   VMware ESX 3.5 without patch ESX350-200803214-UG

3. Problem description:

~   a. Updated pcre Service Console package addresses several security issues

~   The pcre package contains the Perl-Compatible Regular Expression library.
~   pcre is used by various Service Console utilities.

~   Several security issues were discovered in the way PCRE handles
~   regular expressions. If an application linked against PCRE parsed a
~   malicious regular expression, it may have been possible to run
~   arbitrary code as the user running the application.

~   VMware would like to thank Ludwig Nussel for reporting these issues.

~   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
~   assigned the names CVE-2006-7228 and CVE-2007-1660 to these issues.

~   RPM Updated:
~   pcre-3.9-10.4.i386.rpm

~   b. Updated net-snmp Service Console package addresses denial of service

~   net-snmp is an implementation of the Simple Network Management
~   Protocol (SNMP).  SNMP is used by network management systems to
~   monitor hosts.  By default ESX has this service enabled and its ports
~   open on the ESX firewall.

~   A flaw was discovered in the way net-snmp handled certain requests. A
~   remote attacker who can connect to the snmpd UDP port could send a
~   malicious packet causing snmpd to crash, resulting in a denial of
~   service.

~   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
~   assigned the name CVE-2007-5846 to this issue.

~   RPM Updated:
~   net-snmp-5.0.9-2.30E.23.i386.rpm
~   net-snmp-libs-5.0.9-2.30E.23.i386.rpm
~   net-snmp-utils-5.0.9-2.30E.23.i386.rpm

~   c. Updated OpenPegasus Service Console package fixes overflow condition

~   OpenPegasus is a CIM (Common Information Model) and Web-Based Enterprise
~   Management (WBEM) broker.  These protocols are used by network management
~   systems to monitor and control hosts.  By default ESX has this service
~   enabled and its ports open on the ESX firewall.

~   A flaw was discovered in the OpenPegasus CIM management server that
~   might allow remote attackers to execute arbitrary code.  OpenPegasus
~   when compiled to use PAM and without PEGASUS_USE_PAM_STANDALONE_PROC
~   defined, has a stack-based buffer overflow condition.

~   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
~   assigned the name CVE-2008-0003 to this issue.

~   RPMS updated:
~   cim-smwg-1.0-release-606113.i386.rpm
~   pegasus-2.5-release-606113.i386.rpm

4. Solution:

Please review the Patch notes for your product and version and verify the
md5sum of your downloaded file.

~   ESX 3.5 patch ESX350-200803214-UG
~   http://download3.vmware.com/software/esx/ESX350-200803214-UG.zip
~   md5sum:  9ff7b416afed3acfbfbb5d1d63ca5060
~   http://kb.vmware.com/kb/1003721

~   RPMS updated with patch ESX350-200803214-UG
~   e2fsprogs-1.32-15.4.i386.rpm
~   net-snmp-5.0.9-2.30E.23.i386.rpm
~   net-snmp-libs-5.0.9-2.30E.23.i386.rpm
~   net-snmp-utils-5.0.9-2.30E.23.i386.rpm
~   pcre-3.9-10.4.i386.rpm
~   libxml2-2.5.10-8.i386.rpm
~   libxml2-python-2.5.10-8.i386.rpm

~   ESX 3.5 patch ESX350-200803201-UG
~   http://download3.vmware.com/software/esx/ESX350-200803201-UG.zip
~   md5sum: 55dee9f4e256b996229ff0c9a5f0f72c
~   http://kb.vmware.com/kb/1003695

~   RPMS updated with ESX350-200803201-UG
~   cim-smwg-1.0-release-606113.i386.rpm
~   pegasus-2.5-release-606113.i386.rpm

5. References:

~   CVE numbers
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7228
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1660
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5846
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0003

6. Change log

2008-04-15  VMSA-2008-0007    Initial release

- -------------------------------------------------------------------
7. Contact:

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

~  * security-announce@lists.vmware.com
~  * bugtraq@securityfocus.com
~  * full-disclosure@lists.grok.org.uk

E-mail:  security@vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFIBVQ/S2KysvBH1xkRCBGJAJ0SOM8RwNolZMEF2HK9/4bLkecYGQCbBmfs
zKsBpA1zEMPTg+y20GBJijA=
=BKzm
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC