VMSA-2012-0009.2

VMware Workstation, Player, ESXi and ESX patches address critical security issues

1. Summary

VMware Workstation, Player, Fusion, ESXi and ESX patches address critical security issues

 

2. Relevant releases

Workstation 8.0.2

Workstation 7.1.5

Player 4.0.2

Player 3.1.4

Fusion 4.1.2

ESXi 5.0 without patch ESXi500-201205401-SG

ESXi 4.1 without patches ESXi410-201205401-SG, ESXi410-201110201-SG, ESXi410-201201401-SG

ESXi 4.0 without patches ESXi400-201105201-UG, ESXi400-201205401-SG

ESXi 3.5 without patch ESXe350-201205401-I-SG

ESX 4.1 without patches ESX410-201205401-SG, ESX410-201110201-SG, ESX410-201201401-SG

ESX 4.0 without patches ESX400-201105201-UG, ESX400-201205401-SG

ESX 3.5 without patch ESX350-201205401-SG

 

3. Problem Description

a. VMware host memory overwrite vulnerability (data pointers)
Due to a flaw in the handler function for RPC commands, it is possible to manipulate data pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.
Workaround

• Configure virtual machines to use less than 4 GB of memory. Virtual machines that have less than 4GB of memory are not affected.
  OR
  
• Disable VIX messages from each guest VM by editing the configuration file (.vmx) for the virtual machine as described in VMware Knowledge Base article 1714. Add the following line:
  isolation.tools.vixMessage.disable = “TRUE”
  Note: This workaround is not valid for Workstation 7.x and Fusion 3.x.

Mitigation

• Do not allow untrusted users access to your virtual machines. Root or Administrator level permissions are not required to exploit this issue.

The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the name CVE-2012-1516 to this issue.
VMware would like to thank Derek Soeder of Ridgeway Internet Security, L.L.C. for reporting this issue to us.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

b. VMware host memory overwrite vulnerability (function pointers)
Due to a flaw in the handler function for RPC commands, it is possible to manipulate function pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.
Workaround

• None identified

Mitigation

• Do not allow untrusted users access to your virtual machines. Root or Administrator level permissions are not required to exploit this issue.

The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the name CVE-2012-1517 to this issue.
VMware would like to thank Derek Soeder of Ridgeway Internet Security, L.L.C. for reporting this issue to us.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

c. ESX NFS traffic parsing vulnerability
Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic.
Workaround

• None identified

Mitigation

• Connect only to trusted NFS servers
• Segregate the NFS network
• Harden your NFS server

The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the name CVE-2012-2448 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

d. VMware floppy device out-of-bounds memory write
Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic.
Workaround

• None identified

Mitigation

• Connect only to trusted NFS servers
• Segregate the NFS network
• Harden your NFS server

The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the name CVE-2012-2448 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

e. VMware SCSI device unchecked memory write
Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.
Workaround

• Remove the virtual SCSI controller from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general.

Mitigation

• Do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this issue.

The Common Vulnerabilities and Exposures project ( cve.mitre.org) has assigned the name CVE-2012-2450 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

Workstation 8.0.3
---------------------------
http://www.vmware.com/go/downloadworkstation

Release notes:
https://www.vmware.com/support/ws80/doc/releasenotes_workstation_803.html

VMware Workstation for Windows 32-bit and 64-bit with VMware Tools
md5sum: c8cabe876ab629f27e47cea02f0d4def
sha1sum: 815c2b2b9b0e5fd089ed19da15a272671eb405bd

VMware Workstation for Linux 32-bit with VMware Tools
md5sum: 968c0785ddb96058e808117730d7c3ad
sha1sum: 08ac903c012ef887bf45b3f9f83a4d3200fe25d1

VMware Workstation for Linux 64-bit with VMware Tools
md5sum: aa9ce2d953f21f9d902de00ffd2fcb5c
sha1sum: b8d189b6717d49abc49401fc4ad50b187ff2e813

Workstation 7.1.6
---------------------------
http://www.vmware.com/go/downloadworkstation

Release notes:
https://www.vmware.com/support/ws71/doc/releasenotes_ws716.html

VMware Workstation for Windows 32-bit and 64-bit with VMware Tools
md5sum: f7856421babd716dace2f0250ae271f7
sha1sum: 9eaf4b17afec36b8a166bad81be851bd8cfda709

VMware Workstation for Linux 32-bit with VMware Tools
md5sum: 18cc162a88d66a78a0114550517cd42d
sha1sum: 5a1ea9c841a2f45c2e2ed07a30b01c18c85f2133

VMware Workstation for Linux 64-bit with VMware Tools
md5sum: c11e4e162fc128cbfe629c8fb60ea733
sha1sum: 627698ac32d039bcafc117f0fb71d7e666ac0c2e

Player 4.0.3
---------------------------

http://www.vmware.com/go/downloadplayer

Release notes:
https://www.vmware.com/support/player40/doc/releasenotes_player403.html

VMware Player for Windows 32-bit and 64-bit
md5sum: f2259a257a5099cdce5e1ce76512f599
sha1sum: 96badcaac81e1dfeaaac49d1a5bb6b1e13956266

VMware Player for Linux 32-bit
md5sum: 4012e897a77a1c69dd18fbcdde6cf269
sha1sum: 1c00cde50dc6c651393c85db6449010cf552c3eb

VMware Player for Linux 64-bit
md5sum: 857edd0695b3b31713f9ea1b0a65f2b6
sha1sum: 83c4365f4b43713e8cee13998c394331990a0fd3

Player 3.1.6
---------------------------

Release notes:
https://www.vmware.com/support/player31/doc/releasenotes_player316.html

VMware Player for Windows 32-bit and 64-bit
md5sum: 258ca5ac40efa389b0bb221191dbdd65
sha1sum: 691beccb590b7bc34461f78946d752288f2ef4e7

VMware Player for Linux 32-bit
md5sum: 9ed2d89816523ba030f8877c3fb935b9
sha1sum: a16a91dddb6081be314ef5d84708d37fabdd859c

VMware Player for Linux 64-bit
md5sum: d0715a06775c0f92b9d23e031e4af1c6
sha1sum: 5033c1bfecb309b96399410e614c41452c49e8e8

Fusion 4.1.3
---------------------------
http://www.vmware.com/go/downloadfusion

Release Notes:
http://www.vmware.com/support/fusion4/doc/releasenotes_fusion_413.html

VMware Fusion (for Intel-based Macs)
md5sum: 1581b2f1cc0e28f9980c48bab59072bd
sha1sum: f2f58d0b3bfa405c4e6d9f61d51e0d689f8ed34c

ESXi and ESX
---------------------------
http://downloads.vmware.com/go/selfsupport-download

Note: In case multiple patches are listed below, the most recent patch is listed on top.
The most recent patch includes fixes for the issues that are addressed in the older patches.

ESXi 5.0
---------------------------
ESXi500-201205001
md5sum: 4a1de58656980271d79a32107cba75cf
sha1sum: 5f23b318df3476002877c37f2970093dc2217d75
http://kb.vmware.com/kb/2019857
ESXi500-201205001 contains ESXi500-201205401-SG

ESXi 4.1
---------------------------
ESXi410-201205001
md5sum: 5a37d83fc2a96483c94b3087387b3e9c
sha1sum: 9999f578163ffc9ada809e985a6e5d42b83e2be6
http://kb.vmware.com/kb/2019860
ESXi410-201205001 contains ESXi410-201205401-SG

ESXi410-201201001
md5sum: bdf86f10a973346e26c9c2cd4c424e88
sha1sum: cc0b92869a9aae4f5e0e5b81bee109bcd7da780f
http://kb.vmware.com/kb/2009137
ESXi410-201201001 contains ESXi410-201201401-SG

update-from-esxi4.1-4.1_update02
md5sum: 57e34b500ce543d778f230da1d44e412
sha1sum: 52f4378e2f1a29c908493182ccbde91d58b4112f
http://kb.vmware.com/kb/2002338
update-from-esxi4.1-4.1_update02 contains ESXi410-201110201-SG

ESXi 4.0
---------------------------
ESXi400-201205001
md5sum: 96808908b8ff82460a6cbd9b4c501dd4
sha1sum: df0256c4ff71f4e7af507e956a496390c7a84597
http://kb.vmware.com/kb/2019855
ESXi400-201205001 contains ESXi400-201205401-SG

update-from-esxi4.0-4.0_update03
md5sum: 01bb395825b55b21ec5ea9a5e2ec2c4b
sha1sum: ca49bbf154278568a71caf1a5288ac9239dfaf7f
http://kb.vmware.com/kb/1031736
update-from-esxi4.0-4.0_update03 contains ESXi400-201105201-UG

ESXi 3.5
---------------------------
ESXe350-201205401-O-SG
md5sum: e2f017e7ef9a1c0ed5e70dbc97ec62d3
sha1sum: 8dab4731acd4e257cc1701aa0a88373727a9e3ae
http://kb.vmware.com/kb/2019538
ESXe350-201205401-O-SG contains ESXe350-201205401-I-SG

ESX 4.1
---------------------------
ESX410-201205001
md5sum: 0445d053cacee38338b6cc57efae093b
sha1sum: 40720a3be86dd3c9e0bed29c95e0f0a4e34e4cce
http://kb.vmware.com/kb/2019859
ESX410-201205001 contains ESX410-201205401-SG

ESX410-201201001
md5sum: 16df9acd3e74bcabc2494bc23ad0927f
sha1sum: 1066ae1436e1a75ba3d541ab65296cfb9ab7a5cc
http://kb.vmware.com/kb/2009080
ESX410-201201001 contains ESX410-201201401-SG

update-from-esx4.1-4.1_update02
md5sum: 96189a6de3797e28b153f89e01d5a15b
sha1sum: b1823d39d0e4536a421fb933f02380bae7ee7a5d
http://kb.vmware.com/kb/2002337
update-from-esx4.1-4.1_update02 contains ESX410-201110201-SG

ESX 4.0
---------------------------
ESX400-201205001
md5sum: ff0451d353916cc5aebdabf15f4941cc
sha1sum: 8485bc41f23e214940e2b618958293ef74eb425f
http://kb.vmware.com/kb/2019853
ESX400-201205001 contains ESX400-201205401-SG

update-from-esx4.0-4.0_update03
md5sum: 329b08d80d56b0965b84251c552970ba
sha1sum: 2e7285d0cbfd666ab9d745a76f639eccb55c1b2a
http://kb.vmware.com/kb/1031732
update-from-esx4.0-4.0_update03 contains ESX400-201105201-UG

ESX 3.5
---------------------------
ESX350-201205401-SG
md5sum: e7d519fccf34a9bd9ff73cbef9247e31
sha1sum: b5a1a50bf116fb900768a8882bc77adb93b3a182
http://kb.vmware.com/kb/2019535

 

5. References

CVE numbers

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1516

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1517

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2448

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2449

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2450

 

6. Change log

2012-05-03 VMSA-2012-0009 Initial security advisory in conjunction with the release of Workstation 8.0.3, Player 4.0.3 and patches for ESXi and ESX 3.5, 4.0, 4.1 and 5.0 on 2012-05-03.

2012-05-08 VMSA-2012-0009.1 Added another workaround to section 3.a on 2012-05-08.

2012-06-13 VMSA-2012-0009.2 Updated Relevant Releases, Problem Description, and Solution sections to include information regarding updates for Workstation 7 and Fusion 4 in conjunction with the release of Workstation 7.1.6 and Fusion 4.1.3 on 2012-06-13.

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

• security-announce at lists.vmware.com
• bugtraq at securityfocus.com
• full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at:
http://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2012 VMware Inc. All rights reserved.