SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware ESXi Vendors:   VMware
(VMware Issues Fix for ESX) Sudo Netmask Error Lets Remote Authenticated Users Bypass Host Access Controls
SecurityTracker Alert ID:  1028607
SecurityTracker URL:  http://securitytracker.com/id/1028607
CVE Reference:   CVE-2012-2337   (Links to External Site)
Updated:  Dec 6 2013
Original Entry Date:  May 31 2013
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): ESX 4.0
Description:   A vulnerability was reported in Sudo. A remote authenticated user can bypass host access controls. VMware ESX is affected.

A remote authenticated user listed in the sudoers file (or sudoers LDAP data) and granted access to commands on hosts on one or more IPv4 networks (using IP network matching) may be able to execute a command from an unauthorized host.

Impact:   A remote authenticated user can bypass host access controls.
Solution:   VMware has issued a fix for VMware ESX.

For 4.0: ESX400-201305402-SG
For 4.1: ESX410-201312401-SG

The VMware advisory is available at:

http://www.vmware.com/security/advisories/VMSA-2013-0007.html

Cause:   Access control error

Message History:   This archive entry is a follow-up to the message listed below.
May 18 2012 Sudo Netmask Error Lets Remote Authenticated Users Bypass Host Access Controls



 Source Message Contents

Subject:  [Security-announce] NEW VMSA-2013-0007 VMware ESX third party update for Service Console package sudo

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2013-0007
Synopsis:    VMware ESX third party update for Service Console package sudo
Issue date:  2013-05-30
Updated on:  2013-05-30 (initial advisory)
CVE number:  CVE-2012-2337, CVE-2012-3440
- -----------------------------------------------------------------------

1. Summary

    VMware ESX third party update for Service Console package sudo

2. Relevant releases

    VMware ESX 4.0 without patch ESX400-201305001

3. Problem Description

  a. Service Console update for sudo
      
      The service console package sudo is updated to version 
      1.7.2p1-14.el5_8.3

      The Common Vulnerabilities and Exposures project (cve.mitre.org) 
      has assigned the name CVE-2012-2337 and CVE-2012-3440 to the issue 
      addressed in this update. 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is 
      available. 

        VMware		Product	Running	Replace with/
        Product		Version	on	Apply Patch
        =============	=======	=======	=================
	ESXi		any	ESXi	not affected

	ESX		4.1	ESX	Patch Pending
	ESX		4.0	ESX	ESX400-201305402-SG

 4. Solution

      Please review the patch/release notes for your product and version 
      and verify the checksum of your downloaded file. 

      ESXi and ESX 
      --------------------------
      https://www.vmware.com/patchmgr/download.portal


      ESX 4.0 
      -------
      File: ESX400-201305001.zip 
      md5sum: c9ac91d3d803c7b7cb9df401c20b91c0 
      sha1sum: 7f5cef274c709248daa56d8c0e6fcc1ba86ae411
      https://kb.vmware.com/kb/2044240
      ESX400-201305001 contains ESX400-201305402-SG
      
   
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3440


- -----------------------------------------------------------------------

6. Change log

   2013-05-30 VMSA-2013-0007
   Initial security advisory in conjunction with the release of ESX 4.0
   patches on 2013-05-30.

- -----------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
   
   This Security Advisory is posted to the following lists:
   
     * security-announce at lists.vmware.com
     * bugtraq at securityfocus.com
     * full-disclosure at lists.grok.org.uk
   
   E-mail:  security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055
   
   VMware Security Advisories
   http://www.vmware.com/security/advisories
   
   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html
   
   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html
   
   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html
   
   Copyright 2013 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFRqCSyDEcm8Vbi9kMRAo4NAJ48+50wdSXvLgwkthMju5MmEvgd4QCfULk2
A6v/h02vlKKYy2sVY9VT1Nw=
=QIV+
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
http://lists.vmware.com/mailman/listinfo/security-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC