VMSA-2008-0016.3

VMware Hosted products, VirtualCenter Update 3 and patches for ESX and ESXi resolve multiple security issues

1. Summary

VMware addresses a in-guest privilege escalation on 64-bit guest operating systems in ESX, ESXi, and previously released versions of our hosted product line. Updated VMware VirtualCenter Update 3 addresses potential information disclosure and updates Java JRE packages.

2. Relevant releases

VirtualCenter 2.5 before Update 3

VMware Workstation 6.0.4 and earlier,
VMware Workstation 5.5.7 and earlier,
VMware Player 2.0.4 and earlier,
VMware Player 1.0.7 and earlier,
VMware ACE 2.0.4 and earlier,
VMware ACE 1.0.6 and earlier,
VMware Server 1.0.6 and earlier,

VMware ESXi 3.5 without patch ESXe350-200809401-I-SG

VMware ESX 3.5 without patches ESX350-200809404-SG, ESX350-200810215-UG

VMware ESX 3.0.3 without patch ESX303-200809401-SG
VMware ESX 3.0.2 without patch ESX-1006361
VMware ESX 3.0.1 without patch ESX-1006678

NOTE: Hosted products VMware Workstation 5.x, VMware Player 1.x,
and VMware ACE 1.x will reach end of general support
2008-11-09. Customers should plan to upgrade to the latest
version of their respective products.

Extended support (Security and Bug fixes) for ESX 3.0.2 ends
on 2008-10-29 and Extended support for ESX 3.0.2 Update 1
ends on 2009-8-8. Users should plan to upgrade to ESX 3.0.3
and preferably to the newest release available.

Extended Support (Security and Bug fixes) for ESX 3.0.1 has
ended on 2008-07-31.

3. Problem Description

a. Privilege escalation on 64-bit guest operating systems
VMware products emulate hardware functions, like CPU, Memory, and IO.
A flaw in VMware's CPU hardware emulation could allow the virtual CPU to jump to an incorrect memory address. Exploitation of this issue on the guest operating system does not lead to a compromise of the host system but could lead to a privilege escalation on guest operating system. An attacker would need to have a user account on the guest operating system.
Affected
64-bit Windows and 64-bit FreeBSD guest operating systems and possibly other 64-bit operating systems. The issue does not affect the 64-bit versions of Linux guest operating systems.
VMware would like to thank Derek Soeder for discovering this issue and working with us on its remediation.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-4279 this issue.
The following table lists what action remediates the vulnerability (column 4) if a solution is available.

NOTE: The set of guest operating systems which is affected by this issue is a subset of 64-bit operating systems (see above for details)

b. Update for VirtualCenter fixes a potential information disclosure
This release resolves an issue where a user's password could be displayed in cleartext. When logging into VirtualCenter Server 2.0 with Virtual Infrastructure Client 2.5, the user password might be displayed if it contains certain special characters. The dialog box displaying the password can appear in front or hidden behind other windows.
To remediate this issue the VirtualCenter client installations must be updated after updating to VirtualCenter Update 3
VMware would like to thank Mark Woollatt for reporting this issue to VMware.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-4278 to this issue.
The following table lists what action remediates the vulnerability (column 4) if a solution is available.

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

c. Update for VirtualCenter updates JRE to version 1.5.0_16
Update for VirtualCenter updates the JRE package to version 1.5.0_16, which addresses multiple security issues that existed in the previous version of JRE.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-3103, CVE-2008-3104, CVE-2008-3105, CVE-2008-3106, CVE-2008-3107, CVE-2008-3108, CVE-2008-3109, CVE-2008-3110, CVE-2008-3111, CVE-2008-3112, CVE-2008-3113, CVE-2008-3114, CVE-2008-3115 to the security issues fixed in JRE 1.5.0_16.
The following table lists what action remediates the vulnerability (column 4) if a solution is available.

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

Notes: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network. Security best practices provided by VMware recommend that the Service Console be isolated from the VM network. Please see www.vmware.com/resources/techresources/726 for more information on VMware security best practices.

The currently installed version of JRE depends on your patch deployment history.

4. Solution

Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.

VirtualCenter
-------------
VMware VirtualCenter 2.5 Update 3
www.vmware.com/download/download.do
DVD iso image
md5sum: 100161907e702ec745f8449f4958b1c4
Zip file
md5sum: 5ccc8e915044c046554e39390c2c142a
Release Notes
www.vmware.com/support/vi3/doc/vi3_vc25u3_rel_notes.html

VMware Workstation 6.0.5
------------------------
www.vmware.com/download/ws/
Release notes:
www.vmware.com/support/ws6/doc/releasenotes_ws6.html

Windows binary
md5sum: 46b4c54f0493f59f52ac6c2965296859

RPM Installation file for 32-bit Linux
md5sum: 49ebfbd05d146ecc43262622ab746f03

tar Installation file for 32-bit Linux
md5sum: 14ac93bffeee72528629d4caecc5ef37

RPM Installation file for 64-bit Linux
md5sum: 0a856f1a1a31ba3c4b08bcf85d97ccf6

tar Installation file for 64-bit Linux
md5sum: 3b459254069d663e9873a661bc97cf6c

VMware Workstation 5.5.8
------------------------
www.vmware.com/download/ws/ws5.html
Release notes:
www.vmware.com/support/ws55/doc/releasenotes_ws55.html

Windows binary:
md5sum: 745c3250e5254eaf6e65fcfc4172070f

Compressed Tar archive for 32-bit Linux
md5sum: 65a454749d15d4863401619d7ff5566e

Linux RPM version for 32-bit Linux
md5sum: d80adc73b1500bdb0cb24d1b0733bcff


VMware Player 2.0.5 and 1.0.8
-----------------------------
www.vmware.com/download/player/
Release notes Player 1.x:
www.vmware.com/support/player/doc/releasenotes_player.html
Release notes Player 2.0
www.vmware.com/support/player2/doc/releasenotes_player2.html

2.0.5 Windows binary
md5sum: 60265438047259b23ff82fdfe737f969

VMware Player 2.0.5 for Linux (.rpm)
md5sum: 3bc81e203e947e6ca5b55b3f33443d34

VMware Player 2.0.5 for Linux (.tar)
md5sum: f499603d790edc5aa355e45b9c5eae01

VMware Player 2.0.5 - 64-bit (.rpm)
md5sum: 85bc2f11d06c362feeff1a64ee5a6834

VMware Player 2.0.5 - 64-bit (.tar)
md5sum: b74460bb961e88817884c7e2c0f30215

1.0.8 Windows binary
md5sum: e5f927304925297a7d869f74b7b9b053

Player 1.0.8 for Linux (.rpm)
md5sum: a13fdb8d72b661cefd24e7dcf6e2a990

Player 1.0.8 for Linux (.tar)
md5sum: 99fbe861253eec5308d8c47938e8ad1e


VMware ACE 2.0.5
----------------
www.vmware.com/download/ace/
Release notes 2.0:
www.vmware.com/support/ace2/doc/releasenotes_ace2.html

ACE Manager Server Virtual Appliance
Virtual Appliance for the ACE Management Server
md5sum: 41e7349f3b6568dffa23055bb629208d

ACE for Window 32-bit and 64-bit
Main installation file for Windows 32-bit and 64-bit host (ACE Option
Page key required for enabling ACE authoring)
md5sum:46b4c54f0493f59f52ac6c2965296859

ACE Management Server for Windows
ACE Management Server installation file for Windows
md5sum:33a015c4b236329bcb7e12c82271c417

ACE Management Server for Red Hat Enterprise Linux 4
ACE Management Server installation file for Red Hat Enterprise Linux 4
md5sum:dc3bd89fd2285f41ed42f8b28cd5535f

ACE Management Server for SUSE Enterprise Linux 9
ACE Management Server installation file for SUSE Enterprise Linux 9
md5sum:2add6a4fc97e1400fb2f94274ce0dce0

VMware ACE 1.0.7
----------------
www.vmware.com/download/ace/
Release notes:
www.vmware.com/support/ace2/doc/releasenotes_ace2.html
md5sum: 42d806cddb8e9f905722aeac19740f33


VMware Server 1.0.7
-------------------
www.vmware.com/download/server/
Release notes:
www.vmware.com/support/server/doc/releasenotes_server.html

VMware Server for Windows 32-bit and 64-bit
md5sum: 2e2ee5ebe08ae48eac5e661cad01acf6

VMware Server Windows client package
md5sum: ce7d906a5a8de37cbc20db4332de1adb

VMware Server for Linux
md5sum: 04f201122b16222cd58fc81ca814ff8c

VMware Server for Linux rpm
md5sum: 6bae706df040c35851823bc087597d8d

Management Interface
md5sum: e67489bd2f23bcd4a323d19df4e903e8

VMware Server Linux client package
md5sum: 99f1107302111ffd3f766194a33d492b


ESXi
----
ESXi 3.5 patch ESXe350-200809401-I-SG
download3.vmware.com/software/esx/ESXe350-200809401-O-SG.zip
md5sum: 0eadf92eaf0d721e63200348a53e0469
kb.vmware.com/kb/1007090

NOTE: ESXe350-200809401-O-SG contains the following patch bundles:
ESXe350-200809401-I-SG ESXe350-200808202-T-UG
ESXe350-200808203-C-UG

ESX
---
ESX 3.5 patch ESX350-200810215-UG
download3.vmware.com/software/vi/ESX350-200810215-UG.zip
md5sum: 09ef1055da30bba3dfd5b08795d3d57e
kb.vmware.com/kb/1007055

ESX 3.5 patch ESX350-200809404-SG
download3.vmware.com/software/esx/ESX350-200809404-SG.zip
md5sum: ee7e7f09e3a1e0aa4cc4b042a9a91a22
kb.vmware.com/kb/1007089

ESX 3.0.3 patch ESX303-200809401-SG
download3.vmware.com/software/vi/ESX303-200809401-SG.zip
md5sum: e3be0f0f0b8a3ae612d99db2fa79c9e8
kb.vmware.com/kb/1006673

ESX 3.0.2 patch ESX-1006361
download3.vmware.com/software/vi/ESX-1006361.tgz
md5sum: f5c997ee045ba190e41f75b65e67c309
kb.vmware.com/kb/1006361

ESX 3.0.1 patch ESX-1006678
download3.vmware.com/software/vi/ESX-1006678.tgz
md5sum: 68e43b272569693b1f54fd206b2a89ca
kb.vmware.com/kb/1006678

5. References

CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4279
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3105
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3106
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3110
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3111
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3112
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3114
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3115

6. Change log

2008-10-03 VMSA-2008-0016
Initial security advisory after release of ESX 3.5 and ESXi patches and VirtualCenter 2.5 Update 3 on 2008-10-03. Relevant patches for ESX 3.0.x came out on 2008-09-30. Hosted releases were on 2008-08-28, see VMSA-2008-0014 for details.
2008-11-06 VMSA-2008-0016.1
Added updated information for ESX 3.5 Update 3 released on 2008-11-06.
2008-11-17 VMSA-2008-0016.2
Removed the build number from VirtualCenter Update 3 as this build number was for the localized version of the VirtualCenter Update 3 Installer.
Please refer to the VirtualCenter Update 3 release notes for relevant build numbers.

7. Contact

E-mail list for product security notifications and announcements:
lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at:
kb.vmware.com/kb/1055

VMware Security Center
www.vmware.com/security

VMware security response policy
www.vmware.com/support/policies/security_response.html

General support life cycle policy
www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc. All rights reserved.