VMware Security Advisory: ESX and ESXi Patches

By Marc Handelman on October 6th, 2008

VMWare has released a Security Advisory, detailing multiple vulnerabilities in several products (ESX & ESXi), all mitigated by released patches. Read the full advisory texr, along with download links, after the break.

VMware Security Advisory

Advisory ID: VMSA-2008-0016
Synopsis: VMware Hosted products, VirtualCenter Update 3 and
patches for ESX and ESXi resolve multiple security issues
Issue date: 2008-10-03
Updated on: 2008-10-03 (initial release of advisory)
CVE numbers: CVE-2008-4279 CVE-2008-4278 CVE-2008-3103
CVE-2008-3104 CVE-2008-3105 CVE-2008-3106
CVE-2008-3107 CVE-2008-3108 CVE-2008-3109
CVE-2008-3110 CVE-2008-3111 CVE-2008-3112
CVE-2008-3113 CVE-2008-3114 CVE-2008-3115
————————————————————————

1. Summary

VMware addresses a in-guest privilege escalation on 64-bit guest
operating systems in ESX, ESXi, and previously released versions of
our hosted product line. Updated VMware VirtualCenter Update 3
addresses potential information disclosure and updates Java JRE
packages.

2. Relevant releases

VirtualCenter 2.5 before Update 3 build 119838

VMware Workstation 6.0.4 and earlier,
VMware Workstation 5.5.7 and earlier,
VMware Player 2.0.4 and earlier,
VMware Player 1.0.7 and earlier,
VMware ACE 2.0.4 and earlier,
VMware ACE 1.0.6 and earlier,
VMware Server 1.0.6 and earlier,

VMware ESXi 3.5 without patch ESXe350-200809401-I-SG

ESX 3.5 without patch ESX350-200809404-SG

ESX 3.0.3 without patch ESX303-200809401-SG
ESX 3.0.2 without patch ESX-1006361
ESX 3.0.1 without patch ESX-1006678

NOTE: Hosted products VMware Workstation 5.x, VMware Player 1.x,
and VMware ACE 1.x will reach end of general support
2008-11-09. Customers should plan to upgrade to the latest
version of their respective products.

Extended support (Security and Bug fixes) for ESX 3.0.2 ends
on 10/29/2008 and Extended support for ESX 3.0.2 Update 1
ends on 8/8/2009. Users should plan to upgrade to ESX 3.0.3
and preferably to the newest release available.

Extended Support (Security and Bug fixes) for ESX 3.0.1 has
ended on 2008-07-31.

3. Problem Description

a. Privilege escalation on 64-bit guest operating systems

VMware products emulate hardware functions, like CPU, Memory, and
IO.

A flaw in VMware’s CPU hardware emulation could allow the
virtual CPU to jump to an incorrect memory address. Exploitation of
this issue on the guest operating system does not lead to a
compromise of the host system but could lead to a privilege
escalation on guest operating system. An attacker would need to
have a user account on the guest operating system.

Affected
64-bit Windows and 64-bit FreeBSD guest operating systems and
possibly other 64-bit operating systems. The issue does not
affect the 64-bit versions of Linux guest operating systems.

VMware would like to thank Derek Soeder for discovering
this issue and working with us on its remediation.

The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2008-4279 this issue.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

Workstation 6.5.x any not affected
Workstation 6.0.x any 6.0.5 build 109488 or later
Workstation 5.x any 5.5.8 build 108000 or later

Player 2.5.x any not affected
Player 2.0.x any 2.0.5 build 109488 or later
Player 1.x any 1.0.8 build or later

ACE 2.5.x Windows not affected
ACE 2.0.x Windows not affected
ACE 1.x Windows not affected

Server 2.x any not affected
Server 1.x any 1.0.7 build 108231 or later

Fusion 2.x Mac OS/X not affected
Fusion 1.x Mac OS/X not affected

ESXi 3.5 ESXi ESXe350-200809401-I-SG

ESX 3.5 ESX ESX350-200809404-SG
ESX 3.0.3 ESX ESX303-200809401
ESX 3.0.2 ESX ESX-1006361
ESX 3.0.1 ESX ESX-1006678
ESX 2.5.5 ESX not affected
ESX 2.5.4 ESX not affected

NOTE: The set of guest operating systems which is affected by
this issue is a subset of 64-bit operating systems
(see above for details)

b. Update for VirtualCenter fixes a potential information disclosure

This release resolves an issue where a user’s password could be
displayed in cleartext. When logging into VirtualCenter Server 2.0
with Virtual Infrastructure Client 2.5, the user password might be
displayed if it contains certain special characters. The dialog
box displaying the password can appear in front or hidden behind
other windows.

To remediate this issue the VirtualCenter client installations must
be updated after updating to VirtualCenter Update 3

VMware would like to thank Mark Woollatt for reporting this issue
to VMware.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-4278 to this issue.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
======== ======== ======= =======================
Virtual- 2.5 Windows Update 3 build 119838
Center
Virtual- 2.0.2 Windows not affected
Center

hosted * any any not affected

ESXi 3.5 ESXi not affected

ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 3.0.2 ESX not affected
ESX 3.0.1 ESX not affected
ESX 2.5.5 ESX not affected
ESX 2.5.4 ESX not affected

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

c. Update for VirtualCenter updates JRE to version 1.5.0_16

Update for VirtualCenter updates the JRE package to version 1.5.0_16,
which addresses multiple security issues that existed in the previous
version of JRE.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-3103, CVE-2008-3104, CVE-2008-3105,
CVE-2008-3106, CVE-2008-3107, CVE-2008-3108, CVE-2008-3109,
CVE-2008-3110, CVE-2008-3111, CVE-2008-3112, CVE-2008-3113,
CVE-2008-3114, CVE-2008-3115 to the security issues fixed in
JRE 1.5.0_16.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

hosted * any any not affected

ESXi 3.5 ESXi not affected

ESX 3.5 ESX affected, patch pending
ESX 3.0.3 ESX affected, patch pending
ESX 3.0.2 ESX affected, patch pending
ESX 3.0.1 ESX affected, patch pending
ESX 2.5.5 ESX not affected
ESX 2.5.4 ESX not affected

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

Notes: These vulnerabilities can be exploited remotely only if the
attacker has access to the Service Console network.
Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.

The currently installed version of JRE depends on your patch
deployment history.

4. Solution

Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.

VirtualCenter
————-
VMware VirtualCenter 2.5 Update 3 build 119838
http://www.vmware.com/download/download.do?downloadGroup=VC250U3
DVD iso image
md5sum: 100161907e702ec745f8449f4958b1c4
Zip file
md5sum: 5ccc8e915044c046554e39390c2c142a
Release Notes
http://www.vmware.com/support/vi3/doc/vi3_vc25u3_rel_notes.html

VMware Workstation 6.0.5
————————
http://www.vmware.com/download/ws/
Release notes:
http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html

Windows binary
md5sum: 46b4c54f0493f59f52ac6c2965296859

RPM Installation file for 32-bit Linux
md5sum: 49ebfbd05d146ecc43262622ab746f03

tar Installation file for 32-bit Linux
md5sum: 14ac93bffeee72528629d4caecc5ef37

RPM Installation file for 64-bit Linux
md5sum: 0a856f1a1a31ba3c4b08bcf85d97ccf6

tar Installation file for 64-bit Linux
md5sum: 3b459254069d663e9873a661bc97cf6c

VMware Workstation 5.5.8
————————
http://www.vmware.com/download/ws/ws5.html
Release notes:
http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html

Windows binary:
md5sum: 745c3250e5254eaf6e65fcfc4172070f

Compressed Tar archive for 32-bit Linux
md5sum: 65a454749d15d4863401619d7ff5566e

Linux RPM version for 32-bit Linux
md5sum: d80adc73b1500bdb0cb24d1b0733bcff

VMware Player 2.0.5 and 1.0.8
—————————–
http://www.vmware.com/download/player/
Release notes Player 1.x:
http://www.vmware.com/support/player/doc/releasenotes_player.html
Release notes Player 2.0
http://www.vmware.com/support/player2/doc/releasenotes_player2.html

2.0.5 Windows binary
md5sum: 60265438047259b23ff82fdfe737f969

VMware Player 2.0.5 for Linux (.rpm)
md5sum: 3bc81e203e947e6ca5b55b3f33443d34

VMware Player 2.0.5 for Linux (.tar)
md5sum: f499603d790edc5aa355e45b9c5eae01

VMware Player 2.0.5 – 64-bit (.rpm)
md5sum: 85bc2f11d06c362feeff1a64ee5a6834

VMware Player 2.0.5 – 64-bit (.tar)
md5sum: b74460bb961e88817884c7e2c0f30215

1.0.8 Windows binary
md5sum: e5f927304925297a7d869f74b7b9b053

Player 1.0.8 for Linux (.rpm)
md5sum: a13fdb8d72b661cefd24e7dcf6e2a990

Player 1.0.8 for Linux (.tar)
md5sum: 99fbe861253eec5308d8c47938e8ad1e

VMware ACE 2.0.5
—————-
http://www.vmware.com/download/ace/
Release notes 2.0:
http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html

ACE Manager Server Virtual Appliance
Virtual Appliance for the ACE Management Server
md5sum: 41e7349f3b6568dffa23055bb629208d

ACE for Window 32-bit and 64-bit
Main installation file for Windows 32-bit and 64-bit host (ACE Option
Page key required for enabling ACE authoring)
md5sum: 46b4c54f0493f59f52ac6c2965296859

ACE Management Server for Windows
ACE Management Server installation file for Windows
md5sum: 33a015c4b236329bcb7e12c82271c417

ACE Management Server for Red Hat Enterprise Linux 4
ACE Management Server installation file for Red Hat Enterprise Linux 4
md5sum: dc3bd89fd2285f41ed42f8b28cd5535f

ACE Management Server for SUSE Enterprise Linux 9
ACE Management Server installation file for SUSE Enterprise Linux 9
md5sum: 2add6a4fc97e1400fb2f94274ce0dce0

VMware ACE 1.0.7
—————-
http://www.vmware.com/download/ace/
Release notes:
http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html
md5sum: 42d806cddb8e9f905722aeac19740f33

VMware Server 1.0.7
——————-
http://www.vmware.com/download/server/
Release notes:
http://www.vmware.com/support/server/doc/releasenotes_server.html

VMware Server for Windows 32-bit and 64-bit
md5sum: 2e2ee5ebe08ae48eac5e661cad01acf6

VMware Server Windows client package
md5sum: ce7d906a5a8de37cbc20db4332de1adb

VMware Server for Linux
md5sum: 04f201122b16222cd58fc81ca814ff8c

VMware Server for Linux rpm
md5sum: 6bae706df040c35851823bc087597d8d

Management Interface
md5sum: e67489bd2f23bcd4a323d19df4e903e8

VMware Server Linux client package
md5sum: 99f1107302111ffd3f766194a33d492b

ESXi
—-
ESXi 3.5 patch ESXe350-200809401-I-SG
http://download3.vmware.com/software/esx/ESXe350-200809401-O-SG.zip
md5sum: 0eadf92eaf0d721e63200348a53e0469
http://kb.vmware.com/kb/1007090

NOTE: ESXe350-200809401-O-SG contains the following patch bundles:
ESXe350-200809401-I-SG ESXe350-200808202-T-UG
ESXe350-200808203-C-UG

ESX
—
ESX 3.5 patch ESX350-200809404-SG
http://download3.vmware.com/software/esx/ESX350-200809404-SG.zip
md5sum: ee7e7f09e3a1e0aa4cc4b042a9a91a22
http://kb.vmware.com/kb/1007089

ESX 3.0.3 patch ESX303-200809401
http://download3.vmware.com/software/vi/ESX303-200809401-SG.zip
md5sum: e3be0f0f0b8a3ae612d99db2fa79c9e8
http://kb.vmware.com/kb/1006673

ESX 3.0.2 patch ESX-1006361
http://download3.vmware.com/software/vi/ESX-1006361.tgz
md5sum: f5c997ee045ba190e41f75b65e67c309
http://kb.vmware.com/kb/1006361

ESX 3.0.1 patch ESX-1006678
http://download3.vmware.com/software/vi/ESX-1006678.tgz
md5sum: 68e43b272569693b1f54fd206b2a89ca
http://kb.vmware.com/kb/1006678

5. References

- ————————————————————————
6. Change log

2008-10-03 VMSA-2008-0016
Initial security advisory after release of ESX 3.5 and ESXi patches and
VirtualCenter 2.5 Update 3 on 2008-10-03. Relevant patches for ESX 3.0.x
came out on 2008-09-30. Hosted releases were on 2008-08-28, see
VMSA-2008-0014 for details.

Categories: Data Security, Features, Infosecurity
Tags: Features, Virtual Machine Security, Virtualization, VMWare