SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   VMware Vendors:   VMware, Inc.
VMware Bugs Let Local Users Deny Service
SecurityTracker Alert ID:  1018011
SecurityTracker URL:  http://securitytracker.com/id/1018011
CVE Reference:   CVE-2007-1069, CVE-2007-1337, CVE-2007-1876, CVE-2007-1877   (Links to External Site)
Date:  May 8 2007
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): VMware Workstation prior to 5.5.4, VMware Player prior to 1.0.4, VMware Server prior to 1.0.3, VMware ACE prior to 1.0.3
Description:   A vulnerability was reported in VMware. A local user can cause denial of service conditions.

The system may not properly handle some general protection faults (GPFs) from Windows guest operating systems [CVE-2007-1069]. A local user can cause the Windows virtual machine to crash.

Ruben Santamarta of Reversemode discovered this vulnerability.

A local user can cause the virtual machine process to read state information from an incorrect memory location when returning from a sleep state to the run state [CVE-2007-1337].

Tavis Ormandy of Google discovered this vulnerability.

A local user can cause the virtual machine process to store malformed data in a VMDB files, resulting in denial of service conditions on the guest operating system [CVE-2007-1877].

Per-Fredrik Pollnow and Mikael Janers, technical security consultants at SunGard iXsecurity, discovered this vulnerability.

A local user can invoke a debugger to step into a syscall instruction (with a 64-bit Windows guest operating system on a 64-bit host) to corrupt the virtual machine's register context [CVE-2007-1876]. This may produce unpredictable results.

Ken Johnson discovered this vulnerability.

Impact:   A local user can cause denial of service conditions on the target system.
Solution:   The vendor has issued the following fixed versions.

VMware Workstation 5.5.4
http://www.vmware.com/download/ws/

VMware Server 1.0.3
http://www.vmware.com/download/server/

VMware Player 1.0.4
http://www.vmware.com/download/player/

VMware ACE 1.0.3
http://www.vmware.com/download/ace/

Vendor URL:  www.vmware.com/ (Links to External Site)
Cause:   Exception handling error, Input validation error, State error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Mon, 07 May 2007 15:51:22 -0700
Subject:  [Full-disclosure] VMSA-2007-0004 Multiple Denial-of-Service issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2007-0004
Synopsis:          Multiple Denial-of-Service issues fixed
Issue date:        2007-05-04
Updated on:        2007-05-04
CVE numbers:       CVE-2007-1069 CVE-2007-1337 CVE-2007-1877
                   CVE-2007-1876 CVE-2007-1744
- -------------------------------------------------------------------

1. Summary:

Multiple Denial-of-Service issues fixed.

2. Relevant releases:

VMware Workstation prior to 5.5.4
VMware Player prior to 1.0.4
VMware Server prior to 1.0.3
VMware ACE prior to 1.0.3

3. Problem description:

Problems addressed by these patches:

a.   Denial-of-Service on Windows based guest operating systems.

     Some VMware products managed memory in a way that failed to
     gracefully handle some general protection faults (GPFs) in Windows
     guest operating systems.

     A malicious user could use this vulnerability to crash Windows
     virtual machines.  While this vulnerability could allow an
     attacker to crash a virtual machine, we do not believe it was
     possible to escalate privileges or escape virtual containment.

     VMware thanks Rubén Santamarta of Reversemode for identifying and
     reporting this issue.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2007-1069 to this issue.

     VMware Workstation 5.5.4 (Build# 44386)
     VMware Player      1.0.4 (Build# 44386)
     VMware Server      1.0.3 (Build# 44356)
     VMware ACE         1.0.3 (Build# 44385)

b.   Denial-of-Service using ACPI I/O ports

     Virtual machines can be put in various states of suspension, as
     specified by the ACPI power management standard. When returning
     from a sleep state (S2) to the run state (S0), the virtual machine
     process (VMX) collects information about the last recorded running
     state for the virtual machine. Under some circumstances, VMX read
     state information from an incorrect memory location. This issue
     could be used to complete a successful Denial-of-Service attack
     where the virtual machine would need to be rebooted.

     Thanks to Tavis Ormandy of Google for identifying this issue.
     http://taviso.decsystem.org/virtsec.pdf

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2007-1337 to this issue.

     VMware Workstation 5.5.4 (Build# 44386)
     VMware Player      1.0.4 (Build# 44386)
     VMware Server      1.0.3 (Build# 44356)
     VMware ACE         1.0.3 (Build# 44385)

c.   Denial-of-Service using malformed configuration data

     Some VMware products support storing configuration information in
     VMDB files. Under some circumstances, a malicious user could
     instruct the virtual machine process (VMX) to store malformed data,
     causing an error. This error could enable a successful
     Denial-of-Service attack on guest operating systems.

     VMware would like to thank Per-Fredrik Pollnow and Mikael Janers
     technical security consultants at SunGard iXsecurity.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2007-1877 to this issue.

     VMware Workstation 5.5.4 (Build# 44386)
     VMware Player      1.0.4 (Build# 44386)
     VMware Server      1.0.3 (Build# 44356)
     VMware ACE         1.0.3 (Build# 44385)

d.   Debugging local programs could create system instability

     In a 64-bit Windows guest on a 64-bit host, debugging local
     programs could create system instability. Using a debugger to step
     into a syscall instruction may corrupt the virtual machine's
     register context. This corruption produces unpredictable results
     including corrupted stack pointers, kernel bugchecks, or vmware-vmx
     process failures.

     Thanks to Ken Johnson for identifying this issue.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2007-1876 to this issue.

     VMware Workstation 5.5.4 (Build# 44386)
     VMware Player      1.0.4 (Build# 44386)
     VMware Server      1.0.3 (Build# 44356)
     VMware ACE         1.0.3 (Build# 44385)

e.   Directory traversal vulnerability in shared folders feature

     Shared Folders is a feature that enables users of guest operating
     systems to access a specified set of folders in the host's file
     system. A vulnerability was identified by Greg MacManus of iDefense
     Labs that could allow an attacker to write arbitrary content from a
     guest system to arbitrary locations on the host system. In order to
     exploit this vulnerability, the VMware system must have at least
     one folder shared.  Although the Shared Folder feature is enabled
     by default, no folders are shared by default, which means this
     vulnerability is not exploitable by default.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2007-1744 to this issue.

     VMware Workstation 5.5.4 (Build# 44386)
     VMware Player      1.0.4 (Build# 44386)
     VMware Server      1.0.3 (Build# 44356)
     VMware ACE         1.0.3 (Build# 44385)

4. Solution:

Hosted products can be downloaded from the following locations:

  VMware Workstation 5.5.4
  http://www.vmware.com/download/ws/

  VMware Server 1.0.3
  http://www.vmware.com/download/server/

  VMware Player 1.0.4
  http://www.vmware.com/download/player/

  VMware ACE 1.0.3
  http://www.vmware.com/download/ace/

  Note: ACE 2, a major release of ACE, will be available very
  shortly. It is targeted for an early May 07 release. A release
  candidate build is posted publicly on the VMware beta products
  site. In addition to new functionality, ACE 2 addresses all
  issues outlined in the posted ACE 1.0.3 release notes.  Anyone
  considering a patch or upgrade may wish to plan for a move
  directly to the ACE 2 GA release.

5. References:

  CVE numbers
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1069
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1337
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1877
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1876
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1744

6. Contact:

E-mail:  security@vmware.com

http://www.vmware.com/security

VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html

Copyright 2007 VMware Inc. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGP61f6KjQhy2pPmkRCJ6+AJ0cTbUetmsDYomiekcrFm8ieup9KQCgsaVk
JGz9td+nL/jv+ooODmmaYA4=
=LcQJ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC