(VMware Issues Fix for ESX Server) OpenPegasus Stack Overflow in PAM Authentication Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1019862 |
|
SecurityTracker URL: http://securitytracker.com/id/1019862
|
|
CVE Reference:
CVE-2008-0003
(Links to External Site)
|
Updated: May 6 2008
|
Original Entry Date: Apr 16 2008
|
Impact:
Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 3.0.1, 3.0.2, 3.5
|
Description:
A vulnerability was reported in OpenPegasus. A remote user can execute arbitrary code on the target system. VMware ESX Server is affected.
A remote user can send specially crafted data to trigger a stack overflow in the PAM authentication code and execute arbitrary code on the target system. The code will run with root privileges.
The vulnerability resides in PAMBasicAuthenticator::PAMCallback().
|
Impact:
A remote user can execute arbitrary code on the target system with root privileges.
|
Solution:
VMware has issued a fix for ESX, which is affected by this vulnerability.
ESX 3.5 patch ESX350-200803201-UG
http://download3.vmware.com/software/esx/ESX350-200803201-UG.zip
md5sum: 55dee9f4e256b996229ff0c9a5f0f72c
http://kb.vmware.com/kb/1003695
On May 5, 2008, VMware issued patches for versions 3.0.1 and 3.0.2.
VMware ESX 3.0.2 patch ESX-1004213 (OpenPegasus)
http://download3.vmware.com/software/vi/ESX-1004213.tgz
md5sum: cde300d8239ce5c9aac887957957eaa4
http://kb.vmware.com/kb/1004213
VMware ESX 3.0.1 patch ESX-1004184 (OpenPegasus)
http://download3.vmware.com/software/vi/ESX-1004184.tgz
md5sum: e96659cf283e1e2e141de58603af1bfc
http://kb.vmware.com/kb/1004184
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 15 Apr 2008 18:20:02 -0700
Subject: [Security-announce] VMSA-2008-0007 Moderate Updated Service Console
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- -------------------------------------------------------------------
~ VMware Security Advisory
Advisory ID: VMSA-2008-0007
Synopsis: Moderate Updated Service Console packages pcre
~ net-snmp, and OpenPegasus
Issue date: 2008-04-15
Updated on: 2008-04-15 (initial release of advisory)
CVE numbers: CVE-2006-7228 CVE-2007-1660 CVE-2007-5846
~ CVE-2008-0003
- -------------------------------------------------------------------
1. Summary:
~ Updated Service Console packages for pcre, net-snmp, and OpenPegasus
2. Relevant releases:
~ VMware ESX 3.5 without patch ESX350-200803214-UG
3. Problem description:
~ a. Updated pcre Service Console package addresses several security issues
~ The pcre package contains the Perl-Compatible Regular Expression library.
~ pcre is used by various Service Console utilities.
~ Several security issues were discovered in the way PCRE handles
~ regular expressions. If an application linked against PCRE parsed a
~ malicious regular expression, it may have been possible to run
~ arbitrary code as the user running the application.
~ VMware would like to thank Ludwig Nussel for reporting these issues.
~ The Common Vulnerabilities and Exposures project (cve.mitre.org) has
~ assigned the names CVE-2006-7228 and CVE-2007-1660 to these issues.
~ RPM Updated:
~ pcre-3.9-10.4.i386.rpm
~ b. Updated net-snmp Service Console package addresses denial of service
~ net-snmp is an implementation of the Simple Network Management
~ Protocol (SNMP). SNMP is used by network management systems to
~ monitor hosts. By default ESX has this service enabled and its ports
~ open on the ESX firewall.
~ A flaw was discovered in the way net-snmp handled certain requests. A
~ remote attacker who can connect to the snmpd UDP port could send a
~ malicious packet causing snmpd to crash, resulting in a denial of
~ service.
~ The Common Vulnerabilities and Exposures project (cve.mitre.org) has
~ assigned the name CVE-2007-5846 to this issue.
~ RPM Updated:
~ net-snmp-5.0.9-2.30E.23.i386.rpm
~ net-snmp-libs-5.0.9-2.30E.23.i386.rpm
~ net-snmp-utils-5.0.9-2.30E.23.i386.rpm
~ c. Updated OpenPegasus Service Console package fixes overflow condition
~ OpenPegasus is a CIM (Common Information Model) and Web-Based Enterprise
~ Management (WBEM) broker. These protocols are used by network management
~ systems to monitor and control hosts. By default ESX has this service
~ enabled and its ports open on the ESX firewall.
~ A flaw was discovered in the OpenPegasus CIM management server that
~ might allow remote attackers to execute arbitrary code. OpenPegasus
~ when compiled to use PAM and without PEGASUS_USE_PAM_STANDALONE_PROC
~ defined, has a stack-based buffer overflow condition.
~ The Common Vulnerabilities and Exposures project (cve.mitre.org) has
~ assigned the name CVE-2008-0003 to this issue.
~ RPMS updated:
~ cim-smwg-1.0-release-606113.i386.rpm
~ pegasus-2.5-release-606113.i386.rpm
4. Solution:
Please review the Patch notes for your product and version and verify the
md5sum of your downloaded file.
~ ESX 3.5 patch ESX350-200803214-UG
~ http://download3.vmware.com/software/esx/ESX350-200803214-UG.zip
~ md5sum: 9ff7b416afed3acfbfbb5d1d63ca5060
~ http://kb.vmware.com/kb/1003721
~ RPMS updated with patch ESX350-200803214-UG
~ e2fsprogs-1.32-15.4.i386.rpm
~ net-snmp-5.0.9-2.30E.23.i386.rpm
~ net-snmp-libs-5.0.9-2.30E.23.i386.rpm
~ net-snmp-utils-5.0.9-2.30E.23.i386.rpm
~ pcre-3.9-10.4.i386.rpm
~ libxml2-2.5.10-8.i386.rpm
~ libxml2-python-2.5.10-8.i386.rpm
~ ESX 3.5 patch ESX350-200803201-UG
~ http://download3.vmware.com/software/esx/ESX350-200803201-UG.zip
~ md5sum: 55dee9f4e256b996229ff0c9a5f0f72c
~ http://kb.vmware.com/kb/1003695
~ RPMS updated with ESX350-200803201-UG
~ cim-smwg-1.0-release-606113.i386.rpm
~ pegasus-2.5-release-606113.i386.rpm
5. References:
~ CVE numbers
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7228
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1660
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5846
~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0003
6. Change log
2008-04-15 VMSA-2008-0007 Initial release
- -------------------------------------------------------------------
7. Contact:
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
~ * security-announce@lists.vmware.com
~ * bugtraq@securityfocus.com
~ * full-disclosure@lists.grok.org.uk
E-mail: security@vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2008 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFIBVQ/S2KysvBH1xkRCBGJAJ0SOM8RwNolZMEF2HK9/4bLkecYGQCbBmfs
zKsBpA1zEMPTg+y20GBJijA=
=BKzm
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
|
|
