[security-announce] 20090403 VMSA-2009-0005 VMware Hosted products, VI Client and patches for ESX and ESXi resolve multiple security issues

20090403 VMSA-2009-0005 VMware Hosted products, VI Client and patches for ESX and ESXi resolve multiple security issues

GLSA-201209-25

34373

1021974

http://www.vmware.com/security/advisories/VMSA-2009-0005.html

ADV-2009-0944

oval:org.mitre.oval:def:6251

The remote host is affected by the vulnerability described in GLSA-201209-25 (VMware Player, Server, Workstation: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in VMware Player, Server,       and Workstation. Please review the CVE identifiers referenced below for       details.
  Impact :

    Local users may be able to gain escalated privileges, cause a Denial of       Service, or gain sensitive information.
    A remote attacker could entice a user to open a specially crafted file,       possibly resulting in the remote execution of arbitrary code, or a Denial       of Service. Remote attackers also may be able to spoof DNS traffic, read       arbitrary files, or inject arbitrary web script to the VMware Server       Console.
    Furthermore, guest OS users may be able to execute arbitrary code on the       host OS, gain escalated privileges on the guest OS, or cause a Denial of       Service (crash the host OS).
  Workaround :

    There is no known workaround at this time.

a. Denial of service guest to host vulnerability in a virtual device

   A vulnerability in a guest virtual device driver, could allow a    guest operating system to crash the host and consequently any    virtual machines on that host.

   VMware would like to thank Andrew Honig of the Department of    Defense for reporting this issue.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-4916 to this issue.

b. Windows-based host denial of service vulnerability in hcmon.sys

   A vulnerability in an ioctl in hcmon.sys could be used to create    a denial of service on a Windows-based host. This issue can only    be exploited by a privileged Windows account.

   VMware would like to thank Nikita Tarakanov for reporting this    issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2009-1146 to this issue.

   Note: newly released hosted products (see table in this section)    address another potential denial of service in hcmon.sys as well.
   Also this issue can only be exploited by a privileged Windows    account.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-3761 to this issue.

c. A VMCI privilege escalation on Windows-based hosts or Windows-    based guests.

   The Virtual Machine Communication Interface (VMCI) is an    infrastructure that provides fast and efficient communication    between a virtual machine and the host operating system and    between two or more virtual machines on the same host.

   A vulnerability in vmci.sys could allow privilege escalation on    Windows-based machines. This could occur on Windows-based hosts or    inside Windows-based guest operating systems.  

   Current versions of ESX do not support the VMCI interface and    hence they are not affected by this vulnerability.
     Note: Installing the new hosted releases will not remediate the    issue on Windows-based guests. The VMware Tools packages will need    to be updated on each Windows-based guest followed by a reboot    of the guest system.

   VMware would like to thank Nikita Tarakanov for reporting this    issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the name CVE-2009-1147 to this issue.

   Refer to VMware KB article 1009826 on the steps that are needed to    remediate this vulnerability on Windows-based hosts. This KB article    is found at http://kb.vmware.com/kb/1009826.

d. VNnc Codec Heap Overflow vulnerabilities

   The VNnc Codec assists in Record and Replay sessions. Record and    Replay record the dynamic virtual machine state over a period of    time.

   Two heap overflow vulnerabilities could allow a remote attacker to    execute arbitrary code on VMware hosted products. For an attack to    be successful the user must be tricked into visiting a malicious web    page or opening a malicious video file.

   VMware would like to thank Aaron Portnoy from TippingPoint DVLabs    for reporting these issues to us. TippingPoint has issued the    following identifiers: ZDI-CAN-435, ZDI-CAN-436.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    has assigned the names CVE-2009-0909 and CVE-2009-0910 to these    issues.

e. ACE shared folders vulnerability

   The VMware Host Guest File System (HGFS) shared folders feature allows    users to transfer data between a guest operating system and the    non-virtualized host operating system that contains it.

   A vulnerability in ACE shared folders could allow a previously disabled    and not removed shared folder in the guest to be enabled by a non ACE    Administrator.
        VMware would like to thank Emmanouel Kellinis, KPMG London, penetration    testing team for reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    has assigned the name CVE-2009-0908 to this issue.

f. A remote denial of service vulnerability in authd for Windows    based hosts.

   A vulnerability in vmware-authd.exe could cause a denial    of service condition on Windows hosts.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-0177 to this issue.

g. VI Client Retains VirtualCenter Server Password in Memory

   After logging in to VirtualCenter Server with VI Client, the    password for VirtualCenter Server might be present in the memory    of the VI Client.

   Note: This vulnerability is present in VI Client and in order to    remediate the vulnerability, you will need to replace VI Client    with a fixed version (see below).

   VMware would like to thank Craig Marshall for reporting this    issue to us.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-0518 to this issue.

VMware products installed on the remote host are reportedly affected by multiple vulnerabilities :

  - A vulnerability in the guest virtual device driver could     allow an attacker to use the guest operating system to     crash the host operating system. (CVE-2008-3761)

  - A denial of service vulnerability affects an unspecified     IOCTL contained in the 'hcmon.sys' driver. An attacker     can exploit this in order to deny service on a Windows-     based host. (CVE-2009-1146, CVE-2008-3761)

  - A privilege escalation vulnerability affects the     'vmci.sys' driver on Windows-based machines. An attacker     can exploit this in order to gain escalated privileges     on either the host or the guest. (CVE-2009-1147)

  - The 'VNnc' codec is affected by two heap-based buffer     overflow vulnerabilities. An attacker can exploit these     to execute arbitrary code on VMware hosted products by     tricking a user into opening a malicious file.
    (CVE-2009-0909, CVE-2009-0910)

  - A vulnerability in ACE shared folder may allow attackers     to enable previously disabled shared ACE folders. This     only affects VMware ACE. (CVE-2009-0908)

  - A remote denial of service vulnerability affects Windows     hosts. An attacker can exploit this to crash the     affected host. (CVE-2009-0177)

  - A vulnerability in the virtual machine display function     may allow a guest operating system to run code on the     host. (CVE-2009-1244)

  - A vulnerability in VMware Descheduled Time Accounting     Service could be exploited to trigger a denial of     service condition in Windows-based virtual machines. It     should be noted that, this feature is optional, and     the vulnerability can be exploited only if the feature     is installed, and the affected service is not running in     the virtual machine. (CVE-2009-1805)

ID	Name	Product	Family	Severity
62383	GLSA-201209-25 : VMware Player, Server, Workstation: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
40390	VMSA-2009-0005 : VMware Hosted products, VI Client and patches for ESX and ESXi resolve multiple security issues	Nessus	VMware ESX Local Security Checks	high
36117	VMware Products Multiple Vulnerabilities (VMSA-2009-0005/VMSA-2009-0007)	Nessus	Windows	high

CVE-2009-0909

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

medium

high

high