SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware ESXi Vendors:   VMware
(VMware Issues Fix for ESX Server) OpenPegasus Stack Overflow in PAM Authentication Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019862
SecurityTracker URL:  http://securitytracker.com/id/1019862
CVE Reference:   CVE-2008-0003   (Links to External Site)
Updated:  May 6 2008
Original Entry Date:  Apr 16 2008
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.0.1, 3.0.2, 3.5
Description:   A vulnerability was reported in OpenPegasus. A remote user can execute arbitrary code on the target system. VMware ESX Server is affected.

A remote user can send specially crafted data to trigger a stack overflow in the PAM authentication code and execute arbitrary code on the target system. The code will run with root privileges.

The vulnerability resides in PAMBasicAuthenticator::PAMCallback().

Impact:   A remote user can execute arbitrary code on the target system with root privileges.
Solution:   VMware has issued a fix for ESX, which is affected by this vulnerability.

ESX 3.5 patch ESX350-200803201-UG
http://download3.vmware.com/software/esx/ESX350-200803201-UG.zip
md5sum: 55dee9f4e256b996229ff0c9a5f0f72c
http://kb.vmware.com/kb/1003695

On May 5, 2008, VMware issued patches for versions 3.0.1 and 3.0.2.

VMware ESX 3.0.2 patch ESX-1004213 (OpenPegasus)
http://download3.vmware.com/software/vi/ESX-1004213.tgz
md5sum: cde300d8239ce5c9aac887957957eaa4
http://kb.vmware.com/kb/1004213

VMware ESX 3.0.1 patch ESX-1004184 (OpenPegasus)
http://download3.vmware.com/software/vi/ESX-1004184.tgz
md5sum: e96659cf283e1e2e141de58603af1bfc
http://kb.vmware.com/kb/1004184

Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jan 7 2008 OpenPegasus Stack Overflow in PAM Authentication Lets Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  [Security-announce] VMSA-2008-0007 Moderate Updated Service Console


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
~                   VMware Security Advisory

Advisory ID:       VMSA-2008-0007
Synopsis:          Moderate Updated Service Console packages pcre
~                   net-snmp, and OpenPegasus
Issue date:        2008-04-15
Updated on:        2008-04-15 (initial release of advisory)
CVE numbers:       CVE-2006-7228 CVE-2007-1660 CVE-2007-5846
~                   CVE-2008-0003
- -------------------------------------------------------------------

1. Summary:

~   Updated Service Console packages for pcre, net-snmp, and OpenPegasus

2. Relevant releases:

~   VMware ESX 3.5 without patch ESX350-200803214-UG

3. Problem description:

~   a. Updated pcre Service Console package addresses several security issues

~   The pcre package contains the Perl-Compatible Regular Expression library.
~   pcre is used by various Service Console utilities.

~   Several security issues were discovered in the way PCRE handles
~   regular expressions. If an application linked against PCRE parsed a
~   malicious regular expression, it may have been possible to run
~   arbitrary code as the user running the application.

~   VMware would like to thank Ludwig Nussel for reporting these issues.

~   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
~   assigned the names CVE-2006-7228 and CVE-2007-1660 to these issues.

~   RPM Updated:
~   pcre-3.9-10.4.i386.rpm

~   b. Updated net-snmp Service Console package addresses denial of service

~   net-snmp is an implementation of the Simple Network Management
~   Protocol (SNMP).  SNMP is used by network management systems to
~   monitor hosts.  By default ESX has this service enabled and its ports
~   open on the ESX firewall.

~   A flaw was discovered in the way net-snmp handled certain requests. A
~   remote attacker who can connect to the snmpd UDP port could send a
~   malicious packet causing snmpd to crash, resulting in a denial of
~   service.

~   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
~   assigned the name CVE-2007-5846 to this issue.

~   RPM Updated:
~   net-snmp-5.0.9-2.30E.23.i386.rpm
~   net-snmp-libs-5.0.9-2.30E.23.i386.rpm
~   net-snmp-utils-5.0.9-2.30E.23.i386.rpm

~   c. Updated OpenPegasus Service Console package fixes overflow condition

~   OpenPegasus is a CIM (Common Information Model) and Web-Based Enterprise
~   Management (WBEM) broker.  These protocols are used by network management
~   systems to monitor and control hosts.  By default ESX has this service
~   enabled and its ports open on the ESX firewall.

~   A flaw was discovered in the OpenPegasus CIM management server that
~   might allow remote attackers to execute arbitrary code.  OpenPegasus
~   when compiled to use PAM and without PEGASUS_USE_PAM_STANDALONE_PROC
~   defined, has a stack-based buffer overflow condition.

~   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
~   assigned the name CVE-2008-0003 to this issue.

~   RPMS updated:
~   cim-smwg-1.0-release-606113.i386.rpm
~   pegasus-2.5-release-606113.i386.rpm

4. Solution:

Please review the Patch notes for your product and version and verify the
md5sum of your downloaded file.

~   ESX 3.5 patch ESX350-200803214-UG
~   http://download3.vmware.com/software/esx/ESX350-200803214-UG.zip
~   md5sum:  9ff7b416afed3acfbfbb5d1d63ca5060
~   http://kb.vmware.com/kb/1003721

~   RPMS updated with patch ESX350-200803214-UG
~   e2fsprogs-1.32-15.4.i386.rpm
~   net-snmp-5.0.9-2.30E.23.i386.rpm
~   net-snmp-libs-5.0.9-2.30E.23.i386.rpm
~   net-snmp-utils-5.0.9-2.30E.23.i386.rpm
~   pcre-3.9-10.4.i386.rpm
~   libxml2-2.5.10-8.i386.rpm
~   libxml2-python-2.5.10-8.i386.rpm

~   ESX 3.5 patch ESX350-200803201-UG
~   http://download3.vmware.com/software/esx/ESX350-200803201-UG.zip
~   md5sum: 55dee9f4e256b996229ff0c9a5f0f72c
~   http://kb.vmware.com/kb/1003695

~   RPMS updated with ESX350-200803201-UG
~   cim-smwg-1.0-release-606113.i386.rpm
~   pegasus-2.5-release-606113.i386.rpm

5. References:

~   CVE numbers
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7228
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1660
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5846
~   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0003

6. Change log

2008-04-15  VMSA-2008-0007    Initial release

- -------------------------------------------------------------------
7. Contact:

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

~  * security-announce@lists.vmware.com
~  * bugtraq@securityfocus.com
~  * full-disclosure@lists.grok.org.uk

E-mail:  security@vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFIBVQ/S2KysvBH1xkRCBGJAJ0SOM8RwNolZMEF2HK9/4bLkecYGQCbBmfs
zKsBpA1zEMPTg+y20GBJijA=
=BKzm
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC