SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware Vendors:   VMware
(VMware Issues Fix for Workstation/Player) Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1026077
SecurityTracker URL:  http://securitytracker.com/id/1026077
CVE Reference:   CVE-2010-1205   (Links to External Site)
Date:  Sep 21 2011
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Workstation 6.5.x, 7.x; Player 2.5.x, 3.1.x
Description:   Several vulnerabilities were reported in Mozilla Firefox. A remote user can cause arbitrary code to be executed on the target user's system. VMware Workstation and Player are affected.

A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.

SeaMonkey versions prior to 2.0.6 are affected by some of these vulnerabilities.

Thunderbird versions prior to 3.0.6 and 3.1.1 are affected by some of these vulnerabilities.

Jesse Ruderman, Ehsan Akhgari, Mats Palmgren, Igor Bukanov, Gary Kwong, Tobias Markus, Daniel Holbert, David Anderson, Johnny Stenback, regenrecht via TippingPoint's Zero Day Initiative, J23 via TippingPoint's Zero Day Initiative, moz_bug_r_a4, and OUSPG researcher Aki Helin reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   VMware has issued a fix for CVE-2010-1205 for Workstation (6.5.5 Build 328052; 7.1.2 build 301548) and Player (2.5.5 Build 328052, 3.1.2 build 301548).

The VMware advisory is available at:

http://www.vmware.com/security/advisories/VMSA-2010-0014.html

Cause:   Access control error, Boundary error

Message History:   This archive entry is a follow-up to the message listed below.
Jul 21 2010 Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  [Security-announce] UPDATED VMSA-2010-0014.1 VMware Workstation, Player, and ACE address several security issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2010-0014.1
Synopsis:          VMware Workstation, Player, and ACE address several
                   security issues.
Issue date:        2010-09-23
Updated on:        2011-09-19
CVE numbers:       CVE-2010-3277 CVE-2010-1205 CVE-2010-0205
                   CVE-2010-2249 CVE-2010-0434 CVE-2010-0425
- ------------------------------------------------------------------------

1. Summary

   VMware Workstation and Player address a potential installer security
   issue and security issues in libpng. VMware ACE Management Server
   (AMS) for Windows updates Apache httpd.

2. Relevant releases

   VMware Workstation 7.1.1 and earlier,
   VMware Workstation 6.5.4 and earlier,

   VMware Player 3.1.1 and earlier,
   VMware Player 2.5.4 and earlier,

   VMware ACE Management Server 2.7.1 and earlier,

   Note: VMware Server was declared End Of Availability on January 2010,
         support will be limited to Technical Guidance for the duration
         of the support term.

3. Problem Description

 a. VMware Workstation and Player installer security issue

    The Workstation 7.x and Player 3.x installers will load an index.htm
    file located in the current working directory on which Workstation
    7.x or Player 3.x is being installed. This may allow an attacker to
    display a malicious file if they manage to get their file onto the
    system prior to installation.

    The issue can only be exploited at the time that Workstation 7.x or
    Player 3.x is being installed. Installed versions of Workstation and
    Player are not affected. The security issue is no longer present in
    the installer of the new versions of Workstation 7.x and Player 3.x
    (see table below for the version numbers).

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-3277 to this issue.

    VMware would like to thank Alexander Trofimov and Marc Esher for
    independently reporting this issue to VMware.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Workstation    7.x       any      7.1.2 build 301548 or later *
    Workstation    6.5.x     any      not affected

    Player         3.x       any      3.1.2 build 301548 or later *
    Player         2.5.x     any      not affected

    AMS            any       any      not affected

    Server         any       any      not affected

    Fusion         any       Mac OS/X not affected

    ESXi           any       ESXi     not affected

    ESX            any       ESX      not affected

 * Note: This only affects the installer, if you have a version of
         Workstation or Player installed you are not vulnerable.


 b. Third party libpng updated to version 1.2.44

    A buffer overflow condition in libpng is addressed that could
    potentially lead to code execution with the privileges of the
    application using libpng. Two potential denial of service issues
    are also addressed in the update.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2010-1205, CVE-2010-0205, CVE-2010-2249
    to these issues.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.


    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Workstation    7.1.x     any      7.1.2 build 301548 or later
    Workstation    6.5.x     any      6.5.5 Build 328052 or later

    Player         3.1.x     any      3.1.2 build 301548 or later
    Player         2.5.x     any      2.5.5 Build 328052 or later

    AMS            any       any      not affected

    Server         any       any      affected, no patch planned

    Fusion         any       Mac OS/X not affected

    ESXi           any       ESXi     not affected

    ESX            any       ESX      not affected


 c. VMware ACE Management Server (AMS) for Windows updates Apache httpd
    version 2.2.15.

    A function in Apache HTTP Server when multithreaded MPM is used
    does not properly handle headers in subrequests in certain
    circumstances which may allow remote attackers to obtain sensitive
    information via a crafted request that triggers access to memory
    locations associated with an earlier request.  

    The Apache mod_isapi module can be forced to unload a specific
    library before the processing of a request is complete, resulting
    in memory corruption. This vulnerability may allow a remote
    attacker to execute arbitrary code.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2010-0434 and CVE-2010-0425 to the
    issues addressed in this update.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.  

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Workstation    any       any      not affected

    Player         any       any      not affected

    AMS            any       Windows  2.7.2 build 301548 or later
    AMS            any       Linux    affected, patch pending *

    Server         any       any      not affected

    Fusion         any       Mac OS/X not affected

    ESXi           any       ESXi     not affected

    ESX            any       ESX      not affected

 * Note CVE-2010-0425 is not applicable to AMS running on Linux

4. Solution
   Please review the patch/release notes for your product and version
   and verify the md5sum and/or the sha1sum of your downloaded file.

   VMware Workstation 7.1.2
   ------------------------
   www.vmware.com/download/ws/
   Release notes:
   downloads.vmware.com/support/ws71/doc/releasenotes_ws712.html

   Workstation for Windows 32-bit and 64-bit with VMware Tools   
   md5sum: 2e9715ec297dc3ca904ad2707d3e2614
   sha1sum: 55b2b99f67c3dacd402fb9880999086efd264e7a

   Workstation for Windows 32-bit and 64-bit without VMware Tools        
   md5sum: 066929f59aef46f11f4d9fd6c6b36e4d
   sha1sum: def776a28ee1a21b1ad26e836ae868551fff6fc3


   Workstation 6.5.5
   -----------------
   http://www.vmware.com/download/ws/
   Release notes:
   http://downloads.vmware.com/support/ws65/doc/releasenotes_ws655.html
 
   Workstation for Windows 32-bit and 64-bit
   md5sum: 7bff9b621529efb0de808a45e7821274
   sha1sum: 41af7a9a78717cb85dd30b4d830e99fd5de49cc1
 
   Workstation for Linux 32-bit (rpm)
   md5sum: 17c3f1a0e6ccf2b1e224a5d75c845a47
   sha1sum: 3027b4e2215fae84fa9311f8cd762fee17e89df0
 
   Workstation for Linux 32-bit (bundle)
   md5sum: 7c24811fb999204f144d8b9f50e9fcae
   sha1sum: 18a05e6f4f772b7f0563dbd17596b66d1db8e9fa
 
   Workstation for Linux 64-bit (rpm)
   md5sum: c25c2535d8091c4d46701ed081347901
   sha1sum: f4356bc224ea9805dac2d4b677f88a2f4220353e

   Workstation for Linux 64-bit (bundle)
   md5sum: 7012bdaf182d256672ff2eb24b00a40f
   sha1sum: 58ecb2a494d4c7cc663e2028cf76c13d458fecac
 

   VMware Player 3.1.2
   -------------------
   www.vmware.com/download/player/
   Release notes:
   downloads.vmware.com/support/player31/doc/releasenotes_player312.html

   VMware Player for Windows 32-bit and 64-bit        
   md5sum: 3f289cb33af5e425c92d8512fb22a7ba
   sha1sum: bf67240c1f410ebeb8dcb4f6d7371334bf9a6b70

   VMware Player for Linux 32-bit        
   md5sum: 11e3e3e8753e1d9abbbb92c4e3c1dfe8
   sha1sum: dd1dbcdb1f4654eefc11472b68934dcb69842749

   VMware Player for Linux 64-bit        
   md5sum: 2ab08e0d4050719845a64d334ca15bb1
   sha1sum: f024ad84ec831fce8667dfa9601851da5d9fa59c


   VMware Player 2.5.5
   -------------------
   www.vmware.com/download/player/
   Release notes:
   https://www.vmware.com/support/player25/doc/releasenotes_player255.html

   VMware Player 2.5.5 for Windows 32-bit and 64-bit
   md5sum: 780b2c4e2b1610dea3090b1cd81d5ad7
   sha1sum: f6c451a11a4fe66e5a465de960de1358e83b8314
 
   VMware Player 2.5.5 for Linux 32-bit (rpm)
   md5sum: 9e13ee3904bd2377ffb8cfa66460fe92
   sha1sum: 2482acad19f6b23cf0c236d1ce87d4805b7b0e6c  
 
   VMware Player 2.5.5 for Linux 32-bit (bundle)
   MD5SUM: 46dcfe9343f688d60e249d9e9c3853a4
   SHA1SUM: abfdeaf2cac83c630662607e7b95439367376abf  
 
   VMware Player 2.5.5 for Linux 64-bit (rpm)
   MD5SUM: 52d6dcdeed9e564c8cfe8c35cec885f0
   SHA1SUM: dbaa6dac55f592b9c6b16d7505796a2580836f4b  
 
   VMware Player 2.5.5 for Linux 64-bit (bundle)
   md5sum: 6c9a677820010ccd20f829cb5d2c057b
   sha1sum: ff6eccba3125229e8adbc1cb96764c2f116d89c5  
 

   VMware ACE Management Server 2.7.2
   ----------------------------------
   downloads.vmware.com/d/info/desktop_downloads/vmware_ace/2_7
   Release notes:
   downloads.vmware.com/support/ace27/doc/releasenotes_ace272.html

   ACE Management Server for Windows   
   md5sum: 02f0072b8e48a98ed914b633f070d550
   sha1sum: 94a68eac4a328d21a741879b9d063227c0dc1ce4

5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3277
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1205
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2249
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0434
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0425

- ------------------------------------------------------------------------

6. Change log

2010-09-23  VMSA-2010-0014
Initial security advisory after release of Workstation 7.1.2,
Player 3.1.2 and ACE Management Server 2.7.2 on 2010-09-23

2011-09-19  VMSA-2010-0014.1
Updated security advisory to reflect that the third party library
libpng has been updated in Workstation 6.5.5 and Player 2.5.5 released
on 2010-12-02.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at:
kb.vmware.com/kb/1055

VMware Security Center
www.vmware.com/security

VMware Security Advisories
www.vmware.com/security/advisories

VMware security response policy
www.vmware.com/support/policies/security_response.html

General support life cycle policy
www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
www.vmware.com/support/policies/eos_vi.html


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFOeSpODEcm8Vbi9kMRAlfJAKCCOUAqrLMKbXxVHBudzID1oQPwRQCg0jKN
HRJOmuZ+O79hf/7/paGLKLE=
=7NU4
-----END PGP SIGNATURE-----

_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
http://lists.vmware.com/mailman/listinfo/security-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC