VMSA-2011-0009.3

VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues

1. Summary

VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues.

2. Relevant releases

VMware Workstation 7.1.3 and earlier
VMware Player 3.1.3 and earlier

VMware Fusion 3.1.2 and earlier

ESXi 5.0 without patch ESXi500-201112403-SG
ESXi 4.1 without patches ESXi410-201104402-BG and ESXi410-201110201-SG
ESXi 4.0 without patch ESXi400-201110401-SG
ESXi 3.5 without patches ESXe350-201105401-I-SG and
  ESXe350-201105402-T-SG

ESX 4.1 without patches ESX410-201104401-SG and ESX410-201110225-SG.
ESX 4.0 without patch ESX400-201104401-SG and
  ESX400-201110410-SG
ESX 3.5 without patches ESX350-201105401-SG,
  ESX350-201105404-SG and
  ESX350-201105406-SG

3. Problem Description

a. VMware vmkernel third party e1000(e) Driver Packet Filter Bypass
There is an issue in the e1000(e) Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

* hosted products are VMware Workstation, Player, ACE, Fusion.

b. ESX third party update for Service Console kernel
This update for the console OS kernel package resolves four security issues.

1. IPv4 Remote Denial of Service An remote attacker can achieve a denial of service via an issue in the kernel IPv4 code. The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the name CVE-2010-1188 to this issue.
2. SCSI Driver Denial of Service / Possible Privilege Escalation A local attacker can achieve a denial of service and possibly a privilege escalation via a vulnerability in the Linux SCSI drivers. The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the name CVE-2009-3080 to this issue.
3. Kernel Memory Management Arbitrary Code Execution A context-dependent attacker can execute arbitrary code via a vulnerability in a kernel memory handling function. The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the name CVE-2010-2240 to this issue.
4. e1000 Driver Packet Filter Bypass There is an issue in the Service Console e1000 Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters. The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the name CVE-2009-4536 to this issue.

* hosted products are VMware Workstation, Player, ACE, Fusion.

c. Multiple vulnerabilities in mount.vmhgfs
This patch provides a fix for the following three security issues in the VMware Host Guest File System (HGFS). None of these issues affect Windows based Guest Operating Systems.

1. Mount.vmhgfs Information Disclosure Information disclosure via a vulnerability that allows an attacker with access to the Guest to determine if a path exists in the Host filesystem and whether it is a file or directory regardless of permissions. The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the name CVE-2011-2146 to this issue.
2. Mount.vmhgfs Race Condition Privilege escalation via a race condition that allows an attacker with access to the guest to mount on arbitrary directories in the Guest filesystem and achieve privilege escalation if they can control the contents of the mounted directory. The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the name CVE-2011-1787 to this issue.
3. Mount.vmhgfs Privilege Escalation Privilege escalation via a procedural error that allows an attacker with access to the guest operating system to gain write access to an arbitrary file in the Guest filesystem. This issue only affects Solaris and FreeBSD Guest Operating Systems. The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the name CVE-2011-2145 to this issue.

* After the update is applied VMware Guest Tools must be updated in any pre-existing non-Windows guest operating systems

d. VI Client ActiveX vulnerabilities
VI Client COM objects can be instantiated in Internet Explorer which may cause memory corruption. An attacker who succeeded in making the VI Client user visit a malicious Web site could execute code on the user's system within the security context of that user.

VMware would like to thank Elazar Broad and iDefense for reporting this issue to us.

The Common Vulnerabilities and Exposures Project ( cve.mitre.org) has assigned the name CVE-2011-2217 to this issue.

Affected versions.

The vSphere Client which comes with vSphere 4.0 and vSphere 4.1 is not affected. This is any build of vSphere Client Version 4.0.0 and vSphere Client Version 4.1.0.

VI Clients bundled with VMware Infrastructure 3 that are not affected are:

• VI Client 2.0.2 Build 230598 and higher
• VI Client 2.5 Build 204931 and higher

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

VMware Workstation 7.1.4
----------------------------
http://downloads.vmware.com/d/info/desktop_downloads/vmware_workstation/7_0
Release notes:
http://downloads.vmware.com/support/ws71/doc/releasenotes_ws714.html

VMware Workstation for Windows 32-bit and 64-bit with VMware Tools
md5sum: b52d064dff3e9fb009e0637d59b79c44
sha1sum: bf4fe9e901b45e59b33852c4612e90fb77223d64

VMware Workstation for Linux 32-bit with VMware Tools
md5sum: 5f5f25b1cfd8990e46db07788fe0adab
sha1sum: d5b4bfe0d22079988a7777dcc0f87a16b494b5f9

VMware Workstation for Linux 64-bit with VMware Tools
md5sum: 68b424f836f63c12b071a791f80b1593
sha1sum: a7d1f461830db022af8f9d872c980fc59a83c5d6

VMware Fusion 3.1.3
---------------------------
http://downloads.vmware.com/d/info/desktop_end_user_computing/vmware_fusion/3_0
Release Notes:
http://downloads.vmware.com/support/fusion3/doc/releasenotes_fusion_313.html

VMware Fusion for Intel-based Macs
md5sum: f35ac5c15354723468257d2a48dc4f76
sha1sum: 3c849a62c45551fddb16eebf298cef7279d622a9

VMware Player 3.1.4
---------------------------
http://downloads.vmware.com/d/info/desktop_downloads/vmware_player/3_0
Release notes:
https://www.vmware.com/support/player31/doc/releasenotes_player314.html

VMware Player 3.1.4 for 32-bit and 64-bit Windows
md5sum: 29dd5fefe40af929dba40185eb6d4804
sha1sum: ac00488dd9e412beea2366c167ceb87ed262054f

VMware Player 3.1.4 for 32-bit Linux
md5sum: 75a41b63836d19db34f5551846c8b11d
sha1sum: 7350051c0fc781604d1d46bc24003434cbcd3b26

VMware Player 3.1.4 for 64-bit Linux
md5sum: a7fdadfb2af8d9f76571cd06f2439041
sha1sum: 90031375a9c10d9a0a5e32be154c856693ad7526

VMware ESXi 5.0
---------------
ESXi500-201112001
Download link:
http://downloads.vmware.com/go/selfsupport-download
md5sum: 107ec1cf6ee1d5d5cb8ea5c05b05cc10
sha1sum: aff63c8a170508c8c0f21a60d1ea75ef1922096d
http://kb.vmware.com/kb/2007673

ESXi500-201112001 contains ESXi500-201112403-SG

VMware ESXi 4.1
---------------
VMware ESXi 4.1 Update 2
Download link:
http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1

Release Notes:
https://www.vmware.com/support/pubs/vs_pages/vsp_pubs_esxi41_i_vc41.html

File: VMware-VMvisor-Installer-4.1.0.update02-502767.x86_64.iso
md5sum: 0aa78790a336c5fc6ba3d9807c98bfea
sha1sum: 7eebd34ab5bdc81401ae20dcf59a8f8ae22086ce

File: upgrade-from-esxi4.0-to-4.1-update02-502767.zip
md5sum: 459d9142a885854ef0fa6edd8d6a5677
sha1sum: 75978b6f0fc3b0ccc63babe6a65cfde6ec420d33

File: upgrade-from-ESXi3.5-to-4.1_update02.502767.zip
md5sum: 3047fac78a4aaa05cf9528d62fad9d73
sha1sum: dc99b6ff352ace77d5513b4c6d8a2cb7e766a09f

File: VMware-tools-linux-8.3.12-493255.iso
md5sum: 63028f2bf605d26798ac24525a0e6208
sha1sum: 95ca96eec7817da9d6e0c326ac44d8b050328932

File: VMware-viclient-all-4.1.0-491557.exe
md5sum: dafd31619ae66da65115ac3900697e3a
sha1sum: 98be4d349c9a655621c068d105593be4a8e542ef

VMware ESXi 4.1 Update 2 contains ESXi410-201110201-SG.

ESXi410-201104001
Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-276-20110420-682352/ESXi410-201104001.zip
md5sum: 23bd026d6cbca718fe50ed1dd73cfe9d
sha1sum: 82fa6da02a1f37430a15a659254426b3d3a62662
http://kb.vmware.com/kb/1035111

ESXi410-201104001 contains ESXi410-201104402-BG.

VMware ESX 4.1
--------------
VMware ESX 4.1 Update 2
Download link:
http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1

Release Notes:
http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html
https://www.vmware.com/support/pubs/vum_pubs.html

File: ESX-4.1.0-update02-502767.iso
md5sum: 9a2b524446cbd756f0f1c7d8d88077f8
sha1sum: 2824c0628c341357a180b3ab20eb2b7ef1bee61c

File: pre-upgrade-from-esx4.0-to-4.1-502767.zip
md5sum: 9060ad94d9d3bad7d4fa3e4af69a41cf
sha1sum: 9b96ba630377946c42a8ce96f0b5745c56ca46b4

File: upgrade-from-esx4.0-to-4.1-update02-502767.zip
md5sum: 4b60f36ee89db8cb7e1243aa02cdb549
sha1sum: 6b9168a1b01379dce7db9d79fd280509e16d013f

File: VMware-tools-linux-8.3.12-493255.iso
md5sum: 63028f2bf605d26798ac24525a0e6208
sha1sum: 95ca96eec7817da9d6e0c326ac44d8b050328932

File: VMware-viclient-all-4.1.0-491557.exe
md5sum: dafd31619ae66da65115ac3900697e3a
sha1sum: 98be4d349c9a655621c068d105593be4a8e542ef

VMware ESX 4.1 Update 2 contains ESX410-201110225-SG.

ESX410-201104001
Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-275-20110420-062017/ESX410-201104001.zip
md5sum: 757c3370ae63c75ef5b2178bd35a4ac3
sha1sum: 95cfdc08e0988b4a0c0c3ea1a1acc1c661979888
http://kb.vmware.com/kb/1035110
ESX410-201104001 contains ESX410-201104401-SG.

VMware ESXi 4.0
---------------
ESXi400-201110001
Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-315-20111006-920880/ESXi400-201110001.zip
md5sum: fd47b5e2b7ea1db79a2e0793d4c9d9d3
sha1sum: 759d4fa6da6eb49f41def68e3bd66e80c9a7032b
http://kb.vmware.com/kb/1036397

ESXi400-201110001 contains ESXi400-201110401-SG

ESXi400-201104001
Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-278-20110424-080274/ESXi400-201104001.zip
md5sum: 08216b7ba18988f608326e245ac27e98
sha1sum: 508a04532f0af007ce7c9d7693371470ed8257f0
http://kb.vmware.com/kb/1037261

ESXi400-201104001 contains ESXi400-201104402-BG.

VMware ESX 4.0
--------------
ESX400-201110001
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-314-20111006-398488/ESX400-201110001.zip
md5sum: 0ce9cc285ea5c27142c9fdf273443d78
sha1sum: fdb5482b2bf1e9c97f2814255676e3de74512399
http://kb.vmware.com/kb/1036391

ESX400-201110001 contains ESX400-201110410-SG.

ESX400-201104001
Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-277-20110424-816604/ESX400-201104001.zip
md5sum: 1a305fbf6c751403e56ef4e33cabde06
sha1sum: bc7577cb80e69fbe81e3e9272a182deb42987b3d
http://kb.vmware.com/kb/1037260

ESX400-201104001 contains ESX400-201104401-SG.

VMware ESXi 3.5
---------------
ESXe350-201105401-O-SG
Download link:
http://download3.vmware.com/software/vi/ESXe350-201105401-O-SG.zip
md5sum: 9bc9296cae1fbecf417f60941590fcb4
sha1sum: d6902377f57e3b05b08c07a810d6b58fa30aa8d5
http://kb.vmware.com/kb/1036403

Note ESXe350-201105401-O-SG contains the following security fixes:
ESXe350-201105402-T-SG and ESXe350-201105401-I-SG

VMware ESX 3.5
--------------
ESX350-201105401-SG
Download link:
http://download3.vmware.com/software/vi/ESX350-201105401-SG.zip
md5sum: 2853ca6e75ef5e856ec582151908ad93
sha1sum: c538971d47af4b813348d87bf2f4fa6acd9292f7
http://kb.vmware.com/kb/1036399

ESX350-201105404-SG
Download link:
http://download3.vmware.com/software/vi/ESX350-201105404-SG.zip
md5sum: 7403d4a06e2bdb9cdfb5590432f51bf8
sha1sum: 1700d6175524680b982ca4430cff77b5f7cb15c4
http://kb.vmware.com/kb/1036402

ESX350-201105406-SG
Download link:
http://download3.vmware.com/software/vi/ESX350-201105406-SG.zip
md5sum: 6c695f7d021f751959aec08fed94df11
sha1sum: 83a862c469e7f3334e2a78f6b81d98c02108b708
http://kb.vmware.com/kb/1036754

5. References

CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4536
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2240
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2217

6. Change log

2011-06-02 VMSA-2011-0009 Initial security advisory in conjunction with the release of ESX 3.5 patches on 2011-06-02.

2011-10-12 VMSA-2011-0009.1 Updated security advisory after the release of ESX 4.0 patches on 2011-10-12.

2011-10-27 VMSA-2011-0009.2 Updated security advisory with the release of Update 2 for vSphere Hypervisor (ESXi) 4.1 and ESX 4.1 on 2011-10-27.

2011-12-15 VMSA-2011-0009.3 Updated security advisory with the release of ESXi 5.0 patches on 2011-12-15.

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

• security-announce at lists.vmware.com
• bugtraq at securityfocus.com
• full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at:
http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2011 VMware Inc. All rights reserved.