VMware Security Part Trois

Part Trois

VMware Security Advisory

Advisory ID:            VMSA-2009-0004.3
Synopsis:         ESX Service Console updates for openssl, bind, and vim
Issue date:       2009-03-31
Updated on:       2010-01-06
CVE numbers:      CVE-2008-5077 CVE-2009-0025 CVE-2008-4101 CVE-2008-3432 CVE-2008-2712 CVE-2007-2953
————————————————————————

1. Summary

ESX patches for OpenSSL, vim and bind resolve several security issues.

2. Relevant releases

VMware ESX 4.0 without patch       ESX400-200912402-SG
VMware ESX 3.5 without patches     ESX350-200904408-SG, ESX350-200904407-SG, ESX350-200904406-SG
VMware ESX 3.0.3 without patches   ESX303-200903406-SG, ESX303-200903405-SG, ESX303-200903403-SG
VMware ESX 3.0.2 without patches    ESX-1008409, ESX-1008408,ESX-1008406
VMware ESX 2.5.5 without update patch 13
Extended support for ESX 3.0.2 Update 1 ends on 2009-08-08.

Users should plan to upgrade to ESX 3.0.3 and preferably to the newest release available.

3. Problem Description

a. Updated OpenSSL package for the Service Console fixes a security issue.

OpenSSL 0.9.7a-33.24 and earlier does not properly check the return value from the EVP_VerifyFinal function, which could allow a remote attacker to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.

The Common Vulnerabilities and Exposures project (cve.mitre.org) the name CVE-2008-5077 to this issue.

The following table lists what action remediates the vulnerability column 4) if a solution is available.

VMware Product Product Version Running On Replace with/Apply Patch
VirtualCenter any Windows not affected
hosted * any any not affected
ESXi 3.5 ESXi not affected
ESX 4.0 ESX ESX400-200912402-SG
ESX 3.5 ESX ESX350-200904408-SG
ESX 3.0.3 ESX ESX303-200903406-SG
ESX 3.0.2 ESX ESX-1008409
ESX 2.5.5 ESX Upgrade Patch 13

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

b. Update bind package for the Service Console fixes a security issue.

A flaw was discovered in the way Berkeley Internet Name Domain (BIND) checked the return value of the OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, allowing spoofing attacks.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-0025 to this issue.

The following table lists what action remediates the vulnerability (column 4) if a solution is available.

VMware Product Product Version Running On Replace with/Apply Patch
VirtualCenter any Windows not affected
hosted * any any not affected
ESXi 3.5 ESXi not affected
ESX 4.0 ESX not affected
ESX 3.5 ESX ESX350-200904407-SG
ESX 3.0.3 ESX ESX303-200903405-SG
ESX 3.0.2 ESX ESX-1008409
ESX 2.5.5 ESX Upgrade Patch 13

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

c. Updated vim package for the Service Console addresses several security issues.

Several input flaws were found in Visual editor IMproved’s (Vim) keyword and tag handling. If Vim looked up a document’s maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-4101 to this issue.

A heap-based overflow flaw was discovered in Vim’s expansion of file name patterns with shell wildcards. An attacker could create a specially crafted file or directory name, when opened by Vim causes the application to stop responding or execute arbitrary code.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-3432 to this issue.

Several input flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2712 to this issue.

A format string flaw was discovered in Vim’s help tag processor. If a user was tricked into executing the “helptags” command on malicious data, arbitrary code could be executed with the permissions of the user running VIM.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-2953 to this issue.

The following table lists what action remediates the vulnerability (column 4) if a solution is available.

VMware Product Product Version Running On Replace with/Apply Patch
VirtualCenter any Windows Not Affected
Workstation any any Not Affected
Hosted * any any Not Affected
ESXi any ESXi Not Affected
ESX 4.0 ESX Not Affected
ESX 3.5 ESX ESX350-200904406-SG
ESX 3.0.3 ESX ESX303-200903403-SG
ESX 3.0.2 ESX ESX-1008406
ESX 2.5.5 ESX Upgrade Patch 13

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file.

ESX

ESX 4.0 ESX400-200912402-SG (openssl)
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-181-20091231-153046/ESX400-200912001.zip
md5sum: 78c6cf139b7941dc736c9d3a41deae77
sha1sum: 36df3a675fbd3c8c8830f00637e37ee716bdac59
http://kb.vmware.com/kb/1016292

To install an individual bulletin use esxupdate with the -b option. esxupdate –bundle=ESX400-200912001.zip -b ESX400-200912402-SG update

ESX 3.5 ESX350-200904408-SG (openssl) http://download3.vmware.com/software/vi/ESX350-200904408-SG.zip
md5sum: 3af12e08ec0e5f84b1b2646cb1ad0225
http://kb.vmware.com/kb/1010133
ESX 3.5 ESX350-200904407-SG (bind)   http://download3.vmware.com/software/vi/ESX350-200904407-SG.zip
md5sum: a1b9dbb410e76e2fd410d6766b1df210
http://kb.vmware.com/kb/1010132
ESX 3.5 ESX350-200904406-SG (vim)
http://download3.vmware.com/software/vi/ESX350-200904406-SG.zip
md5sum: a416ecc6e97fa484873026b8110672e7
http://kb.vmware.com/kb/1010131
ESX 3.0.3 ESX303-200903406-SG (openssl)
http://download3.vmware.com/software/vi/ESX303-200903406-SG.zip
md5sum: 45a2d32f9267deb5e743366c38652c92
http://kb.vmware.com/kb/1008416
ESX 3.0.3 ESX303-200903405-SG (bind)
http://download3.vmware.com/software/vi/ESX303-200903405-SG.zip
md5sum: 34d00fd9cca7f3e08c0857b4cc254710
http://kb.vmware.com/kb/1008415
ESX 3.0.3 ESX303-200903403-SG (vim)
http://download3.vmware.com/software/vi/ESX303-200903403-SG.zip
md5sum: 9790c9512aef18beaf0d1c7d405bed1a
http://kb.vmware.com/kb/1008413
ESX 3.0.2 ESX-1008409 (openssl)
http://download3.vmware.com/software/vi/ESX-1008409.tgz
md5sum: cb25fd47bc0713b968d8778c033bc846
http://kb.vmware.com/kb/1008409
ESX 3.0.2 ESX-1008408 (bind)
http://download3.vmware.com/software/vi/ESX-1008408.tgz
md5sum: b6bd9193892a9c89b9b7a1e0456d2a9a
http://kb.vmware.com/kb/1008408
ESX 3.0.2 ESX-1008406 (vim)
http://download3.vmware.com/software/vi/ESX-1008406.tgz
md5sum: f069daa58190b39e431cedbd26ce25ef
http://kb.vmware.com/kb/1008406
ESX 3.0.3 ESX303-200903405-SG (openssl)
http://download3.vmware.com/software/vi/ESX303-200903406-SG.zip
md5sum: 45a2d32f9267deb5e743366c38652c92
http://kb.vmware.com/kb/1008416
ESX 3.0.3 ESX303-200903405-SG (bind)
http://download3.vmware.com/software/vi/ESX303-200903405-SG.zip
md5sum: 34d00fd9cca7f3e08c0857b4cc254710
http://kb.vmware.com/kb/1008415
ESX 3.0.3 ESX303-200903403-SG (vim)
http://download3.vmware.com/software/vi/ESX303-200903403-SG.zip
md5sum: 9790c9512aef18beaf0d1c7d405bed1a
http://kb.vmware.com/kb/1008413
ESX 2.5.5 Upgrade Patch 13
http://www.vmware.com/support/esx25/doc/esx-255-200905-patch.html
http://download3.vmware.com/software/esx/esx-2.5.5-161312-upgrade.tar.gz
md5sum: a477b7819f5a0d4cbd38b98432a48c88
sha1sum: cceb38898108e48cc5b7e3298a03a369aa783699

5. References

CVE numbers

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0025
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2953
– ————————————————————————

6. Change log

2009-03-31  VMSA-2009-0004
Initial security advisory after release of patches for ESX 3.0.2 and
3.0.3 on 2009-03-31.
2009-04-29  VMSA-2009-0004.1
Added updated information for openssl, bind, and vim after the release of patches for ESX 3.5 on 2009-04-29.
2009-06-01  VMSA-2009-0004.2
Added updated information for openssl, bind, and vim after the release of patch for ESX 2.5.5 on 2009-05-28.
2010-01-06  VMSA-2009-0004.3
Added updated information for openssl after the release of patch for ESX400-200912402-SG for ESX 4.0 on 2010-01-06.

%d bloggers like this: