VMSA-2008-0001.1

Updated service console patches.

1. Summary:

Updated service console patches

2. Relevant releases:

ESX Server 3.0.2 without patches ESX-1002969, ESX-1002970, ESX-1002971, ESX-1002975, ESX-1002976

ESX Server 3.0.1 without patches ESX-1002962, ESX-1002963, ESX-1002964, ESX-1002968, ESX-1002972, ESX-1003176

ESX Server 2.5.5 before Upgrade Patch 3

ESX Server 2.5.5 before Upgrade Patch 14

3. Problem description:

I Service Console package security updates

a. OpenPegasus PAM Authentication Buffer Overflow
Alexander Sotirov from VMware Security Research discovered a buffer overflow vulnerability in the OpenPegasus Management server.

This flaw could be exploited by a malicious remote user on the service console network to gain root access to the service console.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5360 to this issue.

RPM Updated: pegasus-2.5-552927
VM Shutdown: No
Host Reboot: No

Note: ESX Server 3.5 and ESX Server 3i are not affected by this issue.

ESX Server 3.0.2
download3.vmware.com/software/vi/ESX-1002970.tgz
md5sum: d19115e965d486e72100ce489efea707
kb.vmware.com/kb/1002970

ESX Server 3.0.1
download3.vmware.com/software/vi/ESX-1003176.tgz
md5sum: 5674ca0dcfac90726014cc316444996e
kb.vmware.com/kb/1003176

ESX Server 2.5.x
Users should remove the OpenPegasus CIM Management rpm. This component is disabled by default, and VMware recommends that you do not use this component of ESX Server 2.x. If you want to use the CIM functionality, upgrade to ESX Server 3.0.1 or a later release.

Note: This vulnerability can be exploited remotely only if the attacker has access to the service console network.

Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see www.vmware.com/resources/techresources/726 for more information on VMware security best practices.

b. Updated Samba package
An issue where attackers on the service console management network can cause a stack-based buffer overflow in the reply_netbios_packet function of nmbd in Samba. On systems where Samba is being used as a WINS server, exploiting this vulnerability can allow remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.

An issue where attackers on the service console management network can exploit a vulnerability that occurs when Samba is configured as a Primary or Backup Domain controller. The vulnerability allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5398 and CVE-2007-4572 to these issues.

Note: By default Samba is not configured as a WINS server or a domain controller and ESX is not vulnerable unless the administrator has changed the default configuration.

This vulnerability can be exploited remotely only if the attacker has access to the service console network.

Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see www.vmware.com/resources/techresources/726 for more information on VMware security best practices.

RPM Updated:
samba-3.0.9-1.3E.14.1vmw
samba-client-3.0.9-1.3E.14.1vmw
samba-common-3.0.9-1.3E.14.1vmw

VM Shutdown: Yes
Host Reboot: Yes

ESX Server 3.5.0
download3.vmware.com/software/vi/ESX350-200712402-SG
md5sum: d83eeef80e27b739546915bc17390ac0
kb.vmware.com/kb/1003204

ESX Server 3.0.2
download3.vmware.com/software/vi/ESX-1002975.tgz
md5sum: 797a7494c2c4eb49629d3f94818df5dd
kb.vmware.com/kb/1002975

ESX Server 3.0.1
download3.vmware.com/software/vi/ESX-1002968.tgz
md5sum: 5106d90afaf77c3a0d8433487f937d06
kb.vmware.com/kb/1002968

ESX Server 2.5.5 download Upgrade Patch 3
ESX Server 2.5.4 download Upgrade Patch 14

c. Updated util-linux package
The patch addresses an issue where the mount and umount utilities in util-linux call the setuid and setgid functions in the wrong order and do not check the return values, which could allow attackers to gain elevated privileges via helper application such as mount.nfs.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5191 to this issue.

RPM Updated:
util-linux-2.11y-31.24vmw
losetup-2.11y-31.24vmw
mount -2.11y-31.24vmw

VM Shutdown: Yes
Host Reboot: Yes

ESX Server 3.5
download3.vmware.com/software/vi/ESX350-200712403-SG.zip
md5sum: 0656cc3da5a92b22a337ad27ae6f8a6b
kb.vmware.com/kb/1003205

ESX Server 3.0.2
download3.vmware.com/software/vi/ESX-1002976.tgz md5sum: 0fe833c50c0ecb0ff9340d6674be2e43
kb.vmware.com/kb/1002976

ESX Server 3.0.1
download3.vmware.com/software/vi/ESX-1002972.tgz md5sum: 59ca4a43f330c5f0b7a55693aa952cdc
kb.vmware.com/kb/1002972

d. Updated Perl package
The update addresses an issue where the regular expression engine in Perl can be used to issue a specially crafted regular expression that allows the attacker to run arbitrary code with the permissions level of the current Perl user.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5116 to this issue.

RPM Updated:
perl-5.8.0-97.EL3

VM Shutdown: Yes
Host Reboot: Yes

ESX Server 3.5
download3.vmware.com/software/vi/ESX350-200712404-SG.zip
md5sum: 8f75050d73289cdf74563fa7e494d935
kb.vmware.com/kb/1003206

ESX Server 3.0.2
download3.vmware.com/software/vi/ESX-1002971.tgz
md5sum: 337b09d9ae4b1694a045e216b69765e1
kb.vmware.com/kb/1002971

ESX Server 3.0.1
download3.vmware.com/software/vi/ESX-1002964.tgz
md5sum: d47e26104bfd5e4018ae645638c94487
kb.vmware.com/kb/1002964

e. Updated OpenSSL package
A flaw in the SSL_get_shared_ciphers() function could allow an attacker to cause a buffer overflow problem by sending ciphers to applications that use the function.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-3108, and CVE-2007-5135 to these issues.

RPM Updated:
openssl-0.9.7a-33.24

VM Shutdown: Yes
Host Reboot: Yes

ESX Server 3.5
download3.vmware.com/software/vi/ESX350-200712405-SG.zip
md5sum: 3d0fbea4320e8e424388d4bdc54e40c3
kb.vmware.com/kb/1003208

ESX Server 3.0.2
download3.vmware.com/software/vi/ESX-1002969.tgz
md5sum: 72fd28a9f9380158db149259fbdcaa3b
kb.vmware.com/kb/1002969

ESX Server 3.0.1
download3.vmware.com/software/vi/ESX-1002962.tgz
md5sum: a0727bdc2e1a6f00d5fe77430a6ee9d6
kb.vmware.com/kb/1002962

ESX Server 2.5.5 download Upgrade Patch 3
ESX Server 2.5.4 download Upgrade Patch 14

4. Solution:

Please review the Patch notes for your product and version and verify the md5sum of your downloaded file.

ESX Server 3.5 Patches:
www.vmware.com/download/vi/vi3_patches_35.html

ESX Server 3.0.x Patches:
www.vmware.com/download/vi/vi3_patches.html

ESX Server 2.x Patches:
www.vmware.com/download/esx/esx2_patches.html

ESX Server 2.5.5 Upgrade Patch 3
download3.vmware.com/software/esx/esx-2.5.5-65742-upgrade.tar.gz
md5sum: 9068250fdd604e8787ef40995a4638f9
www.vmware.com/support/esx25/doc/esx-255-200712-patch.html

ESX Server 2.5.4 Upgrade Patch 14
download3.vmware.com/software/esx/esx-2.5.4-65752-upgrade.tar.gz
md5sum: 24990b9207f882ccc91545b6fc90273d
www.vmware.com/support/esx25/doc/esx-254-200712-patch.html

5. References:

CVE numbers

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

cve.mitre.org/cgi-bin/cvename.cgi

6. Contact:

E-mail list for product security notifications and announcements:
lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* [email protected]
* [email protected]
* [email protected]

E-mail: [email protected]

Security web site
www.vmware.com/security

VMware security response policy
www.vmware.com/support/policies/security_response.html

General support life cycle policy
www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc. All rights reserved.