[security-alerts] FW: [SA26890] VMWare Products Multiple Vulnerabilities

["Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>]

> ----------------------------------------------------------------------
>
> TITLE:
> VMWare Products Multiple Vulnerabilities
>
> SECUNIA ADVISORY ID:
> SA26890
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/26890/
>
> CRITICAL:
> Moderately critical
>
> IMPACT:
> Privilege escalation, DoS, System access
>
> WHERE:
> From local network
>
> REVISION:
> 1.1 originally posted 2007-09-20
>
> OPERATING SYSTEM:
> VMware ESX Server 3.x
> http://secunia.com/product/10757/
> VMware ESX Server 2.x
> http://secunia.com/product/2125/
>
> SOFTWARE:
> VMware Workstation 5.x
> http://secunia.com/product/5080/
> VMware Workstation 6.x
> http://secunia.com/product/14321/
> VMware Player 1.x
> http://secunia.com/product/6594/
> VMWare Player 2.x
> http://secunia.com/product/15771/
> VMware Server 1.x
> http://secunia.com/product/10733/
> VMware ACE 1.x
> http://secunia.com/product/6593/
> VMWare ACE 2.x
> http://secunia.com/product/15772/
>
> DESCRIPTION:
> Multiple vulnerabilities have been reported in various VMware
> products, which can be exploited by malicious, local users to gain
> escalated privileges or cause a DoS (Denial of Service) or by
> malicious people to compromise a vulnerable system.
>
> 1) An unspecified error can be exploited by a user with
> administrative privileges in the guest system to cause a memory
> corruption on a certain host process.
>
> Successful exploitation may allow execution of arbitrary code on the
> host system.
>
> 2) An unspecified error can be exploited within the guest system to
> cause a host process to crash.
>
> The vulnerabilities affect VMWare ESX 3.0.1, 3.0.0, 2.5.4, 2.5.3,
> 2.1.3, and 2.0.2, VMWare Workstation 6.0.0 and 5.5.4, VMWare Player
> 2.0.0 and 1.0.4, VMWare Server 1.0.3, and VMWare ACE 2.0.0 and
> 1.0.3.
>
> 3) An integer underflow error in the DHCP server can be exploited to
> cause a stack-based buffer overflow via a specially crafted DHCP
> packet.
>
> 4) An integer overflow error in the DHCP server can be exploited to
> cause a stack-based buffer overflow via a specially crafted DHCP
> packet.
>
> 5) Improper handling of malformed DHCP packets can be exploited to
> execute arbitrary code via a specially crafted DHCP packet.
>
> Successful exploitation of the vulnerabilities allow execution of
> arbitrary code.
>
> 6) Improper starting of registered services can be exploited to gain
> escalated privileges.
>
> The vulnerabilities affect VMWare Workstation 6.0.0 and 5.5.4, VMWare
> Player 2.0.0 and 1.0.4, VMWare Server 1.0.3, and VMWare ACE 2.0.0 and
> 1.0.3.
>
> SOLUTION:
> Update to the latest version or apply patches.
>
> -- VMware ESX 3.0.1 --
>
> Patch Bundle ESX-8258730:
> http://www.vmware.com/support/vi3/doc/esx-8258730-patch.html
> md5sum a06d0e36e403b0fe6bc6fbc76220a86d
>
>
> -- VMware ESX 3.0.0 --
>
> Patch Bundle ESX-4809553:
> http://www.vmware.com/support/vi3/doc/esx-4809553-patch.html
> md5sum cd363526aab5fa6c45bf2509cb5ae500
>
> NOTE: The vendor recommends users to update to version 3.0.1 as 3.0.0
> is nearing its End-of-life.
>
>
> -- VMware ESX 2.5.4 --
> Apply patch 10 (Build# 53326)
> http://www.vmware.com/support/esx25/doc/esx-254-200708-patch.html
> md5sum 8f29f906e0f3c8605a203f914f36b3d1
>
>
> -- VMWare ESX 2.5.3 --
> Apply patch 13 (Build# 52488)
> http://www.vmware.com/support/esx25/doc/esx-253-200708-patch.html
> md5sum 32ba19deb7af268ab357710145f8659b
>
> NOTE: The vendor recommends users to update to version 2.5.4 or later
> as 2.5.3 is nearing its End-of-life.
>
>
> -- VMware ESX 2.1.3 --
> Apply patch  8 (Build# 53228)
> http://www.vmware.com/support/esx21/doc/esx-213-200708-patch.html
> md5sum 32f9f87a99c5c801dd61492a9d91dfe2
>
> NOTE: The vendor recommends users to update to version 2.5.4 or later
> as 2.1.3 is nearing its End-of-life.
>
>
> -- VMware ESX 2.0.2 --
> Apply patch  8 (Build# 52650)
> http://www.vmware.com/support/esx2/doc/esx-202-200708-patch.html
> md5sum f36bb75b51f79e4ba2a2f01a71c3bb08
>
> NOTE: The vendor recommends users to update to version 2.5.4 or later
> as 2.0.2 is nearing its End-of-life.
>
>
> -- VMware Workstation 6.0.0 --
> Update to version 6.0.1 (Build# 55017)
> http://www.vmware.com/download/ws/
>
>
> -- VMware Workstation 5.5.4 --
> Update to version 5.5.5 (Build# 56455)
> http://www.vmware.com/download/ws/ws5.html
>
>
> -- VMware Player 2.0.0 --
> Update to version 2.0.1 (Build# 55017)
> http://www.vmware.com/download/player/
>
>
> -- VMware Player 1.0.4 --
> Update to version 1.0.5 (Build# 56455)
> http://www.vmware.com/download/player/
>
>
> -- VMware Server 1.0.3 --
> Update to version 1.0.4 (Build# 56528)
> http://www.vmware.com/download/server/
>
>
> -- VMware ACE 2.0.0 --
> Update to version 2.0.1 (Build# 55017)
> http://www.vmware.com/download/ace/
>
>
> -- VMware ACE 1.0.3 --
> Update to version 1.0.4 (Build# 54075)
> http://www.vmware.com/download/ace/
>
> PROVIDED AND/OR DISCOVERED BY:
> The vendor credits:
> 1-2) Rafal Wojtczvk, McAfee
> 3-5) Neel Mehta and Ryan Smith, IBM ISS X-Force
> 6) Foundstone
>
> CHANGELOG:
> 2007-09-20: Updated advisory and added additional links.
>
> ORIGINAL ADVISORY:
> VMWare:
> http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html#601
> http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html#555
> http://www.vmware.com/support/server/doc/releasenotes_server.h
> tml#resolved
> http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html#new_201
> http://www.vmware.com/support/player/doc/releasenotes_player.html#105
> http://www.vmware.com/support/player2/doc/releasenotes_player2
> .html#201
> http://lists.grok.org.uk/pipermail/full-disclosure/2007-Septem
> ber/065902.html
>
> IBM ISS X-Force:
> http://www.iss.net/threats/275.html
> http://xforce.iss.net/xforce/xfdb/33103
> http://xforce.iss.net/xforce/xfdb/33102
> http://xforce.iss.net/xforce/xfdb/33101
>