SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   VMware ESXi Vendors:   VMware
VMware ESXi and ESX ROM Overwrite Flaw Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1026875
SecurityTracker URL:  http://securitytracker.com/id/1026875
CVE Reference:   CVE-2012-1515   (Links to External Site)
Date:  Mar 30 2012
Impact:   Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): ESX and ESXi 3.5, 4.0, 4.1
Description:   A vulnerability was reported in VMware ESXi and ESX. A local user on the guest operating system can obtain elevated privileges on the target system.

A local user on the guest operating system can exploit a flaw in port-based I/O handling to overwrite read-only memory for the virtual DOS machine and gain elevated privileges on the guest OS.

Guest operating systems running Windows 2000, Windows XP 32-bit, Windows Server 2003 32-bit, or Windows Server 2003 R2 32-bit are affected.

Derek Soeder of Ridgeway Internet Security, L.L.C. reported this vulnerability.

Impact:   A local user on the guest operating system can obtain elevated privileges on the target guest operating system.
Solution:   The vendor has issued a fix.

ESXi 4.1: ESXi410-201101201-SG
ESXi 4.0: ESXi400-201203401-SG
ESXi 3.5: ESXe350-201203401-I-SG

ESX 4.1: ESX410-201101201-SG
ESX 4.0: ESX400-201203401-SG
ESX 3.5: ESX350-201203401-SG

The vendor's advisory is available at:

http://www.vmware.com/security/advisories/VMSA-2012-0006.html

Vendor URL:  www.vmware.com/security/advisories/VMSA-2012-0006.html (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  [Security-announce] VMSA-2012-0006 VMware ESXi and ESX address several security issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 -----------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2012-0006
Synopsis:    VMware ESXi and ESX address several security issues
Issue date:  2012-03-29
Updated on:  2012-03-29 (initial advisory)
CVE numbers: CVE-2012-1515, CVE-2011-2482, CVE-2011-3191, CVE-2011-4348
             CVE-2011-4862
 -----------------------------------------------------------------------
1. Summary

   VMware ESXi and ESX address several security issues.

2. Relevant releases

   ESXi 4.1 without patch ESXi410-201101201-SG
   ESXi 4.0 without patch ESXi400-201203401-SG
   ESXi 3.5 without patch ESXe350-201203401-I-SG

   ESX 4.1 without patch ESX410-201101201-SG
   ESX 4.0 without patches ESX400-201203401-SG, ESX400-201203407-SG
   ESX 3.5 without patch ESX350-201203401-SG

3. Problem Description
  
   a. VMware ROM Overwrite Privilege Escalation
  
      A flaw in the way port-based I/O is handled allows for modifying
      Read-Only Memory that belongs to the Virtual DOS Machine.
      Exploitation of this issue may lead to privilege escalation on
      Guest Operating Systems that run Windows 2000, Windows XP
      32-bit, Windows Server 2003 32-bit or Windows Server 2003 R2
      32-bit.
  
      VMware would like to thank Derek Soeder of Ridgeway Internet
      Security, L.L.C. for reporting this issue to us.
   
      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2012-1515 to this issue.
  
      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.
  
      VMware         Product   Running  Replace with/
      Product        Version   on       Apply Patch
      =============  ========  =======  =================
      vCenter        any       Windows  not affected
  
      Workstation    8.x       any      not affected
                           
      Player         4.x       any      not affected
                           
      Fusion         4.x       Mac OS/X not affected
  
      ESXi           5.0       ESXi     not affected
      ESXi           4.1       ESXi     ESXi410-201101201-SG
      ESXi           4.0       ESXi     ESXi400-201203401-SG
      ESXi           3.5       ESXi     ESXe350-201203401-I-SG
  
      ESX            4.1       ESX      ESX410-201101201-SG
      ESX            4.0       ESX      ESX400-201203401-SG
      ESX            3.5       ESX      ESX350-201203401-SG
  
   b. ESX third party update for Service Console kernel
  
      The ESX Service Console Operating System (COS) kernel is updated
      to kernel-400.2.6.18-238.4.11.591731 to fix multiple security
      issues in the COS kernel.
  
      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2011-2482, CVE-2011-3191 and
      CVE-2011-4348 to these issues.
  
      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.
  
      VMware         Product   Running  Replace with/
      Product        Version   on       Apply Patch
      =============  ========  =======  =================
      vCenter        any       Windows  not affected
  
      hosted *       any       any      not affected
  
      ESXi           any       ESXi     not affected
  
      ESX            4.1       ESX      patch pending **
      ESX            4.0       ESX      ESX400-201203401-SG
      ESX            3.5       ESX      not applicable
  
      * hosted products are VMware Workstation, Player, ACE, Fusion.
  
      ** One of the three issues, CVE-2011-2482, has already been
         addressed on ESX 4.1 in an earlier kernel patch. See
         VMSA-2012-0001 for details.
   
   c. ESX third party update for Service Console krb5 RPM
  
      This patch updates the krb5-libs and krb5-workstation RPMs to
      version 1.6.1-63.el5_7 to resolve a security issue.
  
      By default, the affected krb5-telnet and ekrb5-telnet services
      do not run. The krb5 telnet daemon is an xinetd service.  You
      can run the following commands to check if krb5 telnetd is
      enabled:

        /sbin/chkconfig --list krb5-telnet
        /sbin/chkconfig --list ekrb5-telnet
     
      The output of these commands displays if krb5 telnet is enabled.
     
      You can run the following commands to disable krb5 telnet
      daemon:

        /sbin/chkconfig krb5-telnet off
        /sbin/chkconfig ekrb5-telnet off
  
      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2011-4862 to this issue.
  
      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.
  
      VMware         Product   Running  Replace with/
      Product        Version   on       Apply Patch
      =============  ========  =======  =================
      vCenter        any       Windows  not affected
  
      hosted *       any       any      not affected
  
      ESXi           any       ESXi     not affected
  
      ESX            4.1       ESX      not applicable
      ESX            4.0       ESX      ESX400-201203407-SG
      ESX            3.5       ESX      not applicable
  
      * hosted products are VMware Workstation, Player, ACE, Fusion.
  
4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   ESXi 4.1
   --------
   update-from-esxi4.1-4.1_update01
   md5sum: 2f1e009c046b20042fae3b7ca42a840f
   sha1sum: 1c9c644012dec657a705ddd3d033cbfb87a1fab1
   http://kb.vmware.com/kb/1027919

   update-from-esxi4.1-4.1_update01 contains ESXi410-201101201-SG

   ESXi 4.0
   --------
   ESXi400-201203001
   md5sum: 8054b2e7c9cd024e492ac5c1fb9c1e72
   sha1sum: 6150fee114d70603ccae399f42b905a6b1a7f3e1
   http://kb.vmware.com/kb/2011777

   ESXi400-201203001 contains ESXi400-201203401-SG

   ESXi 3.5
   --------
   ESXe350-201203401-O-SG
   md5sum: 44124458684d6d1b957b4e39cbe97d77
   sha1sum: 2255311bc6c27e127e075040eb1f98649b5ce8be
   http://kb.vmware.com/kb/2009160

   ESXe350-201203401-O-SG contains ESXe350-201203401-I-SG
   
   ESX 4.1
   -------
   update-from-esx4.1-4.1_update01
   md5sum: 2d81a87e994aa2b329036f11d90b4c14
   sha1sum: c2bfc0cf7ac03d24afd5049ddbd09a865aad1798
   http://kb.vmware.com/kb/1027904
 
   update-from-esx4.1-4.1_update01 contains ESX410-201101201-SG
   
   ESX 4.0
   -------
   ESX400-201203001
   md5sum: 02b7e883e8b438b83bf5e53a1be71ad3
   sha1sum: 34734a8edba225a332731205ee2d6575ad9e1c88
   http://kb.vmware.com/kb/2011767

   ESX400-201203001 contains ESX400-201203401-SG and ESX400-201203407-SG

   ESX 3.5
   -------
   ESX350-201203401-SG
   md5sum: 07743c471ce46de825c36c2277ccd500
   sha1sum: cb77e6f820e1015311bf2386b240fd84f0ad04dd
   http://kb.vmware.com/kb/2009155
   
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1515
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2482
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3191
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4348
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862

 -----------------------------------------------------------------------

6. Change log

   2012-03-29 VMSA-2012-0006
   Initial security advisory in conjunction with the release of patches
   for ESX 4.0 on 2012-03-29.

 -----------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
   
   This Security Advisory is posted to the following lists:
   
     * security-announce at lists.vmware.com
     * bugtraq at securityfocus.com
     * full-disclosure at lists.grok.org.uk
   
   E-mail:  security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055
   
   VMware Security Advisories
   http://www.vmware.com/security/advisories
   
   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html
   
   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html
   
   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html
   
   Copyright 2012 VMware Inc.  All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk91Pd0ACgkQDEcm8Vbi9kPdugCfXs7gbuu4YxHzM1zqmNuHBO3D
L6kAoIJTyaDPeZKmIyzBR3P86G0wd/+F
=84Nj
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
http://lists.vmware.com/mailman/listinfo/security-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC