SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   VMware Vendors:   VMware, Inc.
VMware Workstation, Player, ACE, and Fusion Buffer Overflow in HGFS File System Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1020148
SecurityTracker URL:  http://securitytracker.com/id/1020148
CVE Reference:   CVE-2008-2098   (Links to External Site)
Date:  May 30 2008
Impact:   Execution of arbitrary code via local system, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Workstation 6.0.3 and prior 6.x versions; Player 2.0.3 and prior 2.x versions; ACE 2.0.3 and prior 2.x versions; Fusion 1.1.1 and prior
Description:   A vulnerability was reported in VMware Workstation, VMware Player, VMware ACE, and VMware Fusion. A local user can obtain elevated privileges on the target system.

A local user can trigger a heap overflow in the shared folders feature of the VMware Host Guest File System (HGFS) to execute arbitrary code on the target system. The code will run in the context of the vmx process.

Systems with shared folders enabled (not the default configuration) may be affected if at least one folder on the host system is shared.

The following versions are affected:

VMware Workstation 6.0.3 and prior 6.x versions
VMware Player 2.0.3 and prior 2.x versions
VMware ACE 2.0.3 and prior 2.x versions
VMware Fusion 1.1.1 and prior

Andrew Honig of the U.S. Department of Defense reported this vulnerability.

Impact:   A local user can obtain elevated privileges on the target system.
Solution:   The vendor has issued the following fixes.

VMware Workstation 6.0.4
------------------------
http://www.vmware.com/download/ws/
Release notes:
http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html

Windows binary
md5sum: f50a05831e94c19d98f363c752fca5f9

RPM Installation file for 32-bit Linux
md5sum: e7793b14b995d3b505f093c84e849421

tar Installation file for 32-bit Linux
md5sum: a0a8e1d8188f4be03357872a57a767ab

RPM Installation file for 64-bit Linux
md5sum: 960d753038a268b8f101f4b853c0257e

tar Installation file for 64-bit Linux
md5sum: 4697ec8a9d6c1152d785f3b77db9d539

VMware Player 2.0.4
-------------------
http://www.vmware.com/download/player/
Release notes Player 1.x:
http://www.vmware.com/support/player/doc/releasenotes_player.html
Release notes Player 2.0
http://www.vmware.com/support/player2/doc/releasenotes_player2.html

2.0.4 Windows binary
md5sum: a117664a8bfa7336b846117e5fc048dd

VMware Player 2.0.4 for Linux (.rpm)
md5sum: de6ab6364a0966b68eadda2003561cd2

VMware Player 2.0.4 for Linux (.tar)
md5sum: 9e1c2bfda6b22a3fc195a86aec11903a

VMware Player 2.0.4 - 64-bit (.rpm)
md5sum: 997e5ceffe72f9ce9146071144dacafa

VMware Player 2.0.4 - 64-bit (.tar)
md5sum: 18eb4ee49dd7e33ec155ef69d7d259ef

VMware ACE
----------
http://www.vmware.com/download/ace/
Release notes 2.0:
http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html

VMware-workstation-6.0.4-93057.exe
md5sum: f50a05831e94c19d98f363c752fca5f9

VMware-ACE-Management-Server-Appliance-2.0.4-93057.zip
md5sum: d2ae2246f3d87268cf84c1421d94e86c

VMware-ACE-Management-Server-2.0.4-93057.exe
md5sum: 41b31b3392d5da2cef77a7bb28654dbf

VMware-ACE-Management-Server-2.0.4-93057.i386-rhel4.rpm
md5sum: 9920be4c33773df53a1728b41af4b109

VMware-ACE-Management-Server-2.0.4-93057.i386-sles9.rpm
md5sum: 4ec4c37203db863e8844460b5e80920b


VMware Fusion 1.1.3
--------------
http://www.vmware.com/download/fusion/
Release notes:
http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html
md5sum: D15A3DFD3E7B11FC37AC684586086D

Vendor URL:  www.vmware.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (OS X), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Fri, 30 May 2008 11:21:37 -0700
Subject:  [Security-announce] VMSA-2008-0008 Updates to VMware Workstation,

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2008-0008
Synopsis:          Updates to VMware Workstation, VMware Player,
                   VMware ACE, VMware Fusion resolve critical
                   security issues
Issue date:        2008-05-30
Updated on:        2008-05-30 (initial release of advisory)
CVE numbers:       CVE-2008-2098 CVE-2008-2099
- -------------------------------------------------------------------

1. Summary:

   Several critical security vulnerabilities have been addressed
   in the newest releases of VMware's hosted product line.

2. Relevant releases:

   VMware Workstation 6.0.3 and earlier,
   VMware Player 2.0.3 and earlier,
   VMware ACE 2.0.3 and earlier,
   VMware Fusion 1.1.1 and earlier

NOTES: Users of VMware hosted products VMware Workstation 5.x,
       VMware Player 1.x, and VMware ACE 1.x should note that
       although they are not vulnerable to these issue, they
       will reach their end of general support on 2008-11-09.
       Customers should plan to upgrade to the latest version
       of their respective products.

3. Problem description:

 a. VMware HGFS File System Heap Overflow

    The VMware Host Guest File System (HGFS) shared folders feature allows
    users to transfer data between a guest operating system and the
    non-virtualized host operating system that contains it.

    A heap buffer overflow condition is present in VMware HGFS. Exploitation
    of this flaw might allow an unprivileged guest process to execute code
    in the context of the vmx process on the host.

    In order to exploit this vulnerability, the VMware system must have
    at least one folder shared.  Two things must happen for a folder to
    be shared.  1) Shared folders must be enabled, and 2) a folder must
    be selected from the host system to be shared.  No folders are shared
    by default in any version of our products, which means this
    vulnerability is not exploitable by default.  Workstation 6.x,
    Player 2.x, and ACE 2.x have shared folders disabled by default.

    VMware Server, ESX and ESXi do not provide the shared folders feature.
    Because there is no back-end for the HGFS protocol on the virtualization
    host, these products are architecturally immune to this issue.

    This issue might not be exploitable on host operating systems which
    have implemented heap protection.

    VMware would like to thank Andrew Honig of the Department of
    Defense for reporting this issue.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2008-2098 to this issue.

    VMware        Product   Running  Replace with/
    Product       Version   on       Apply Patch
    ============  ========  =======  =================
    Workstation   6.x       Windows  6.0.4 build 93057
    Workstation   6.x       Linux    6.0.4 build 93057
    Workstation   5.x       Windows  not affected
    Workstation   5.x       Linux    not affected

    Player        2.x       Windows  2.0.4 build 93057
    Player        2.x       Linux    2.0.4 build 93057
    Player        1.x       Windows  not affected
    Player        1.x       Linux    not affected

    ACE           2.x       Windows  2.0.2 build 93057
    ACE           1.x       Windows  not affected

    Server        1.x       Windows  not affected
    Server        1.x       Linux    not affected

    Fusion        1.x       Mac OS/X 1.1.2 build 87978 or later

 b. Windows based VMCI arbitrary code execution vulnerability

    VMCI was introduced in VMware Workstation 6.0, VMware Player 2.0,
    and VMware ACE 2.0.  It is an experimental, optional feature
    that allows virtual machines to communicate with one another.

    With VMCI enabled a guest may execute arbitrary code in the context
    of the vmx process on the host. This is a compiler dependent
    vulnerability and only affects systems running on windows hosts.

    VMware would like to thank Andrew Honig of the Department of
    Defense for reporting this issue.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2008-2099 to this issues.

    VMware        Product   Running  Replace with/
    Product       Version   on       Apply patch
    ============  ========  =======  =================
    Workstation   6.x       Windows  6.0.4 build 93057
    Workstation   6.x       Linux    not affected
    Workstation   5.x       Windows  not affected
    Workstation   5.x       Linux    not affected

    Player        2.x       Windows  2.0.4 build 93057
    Player        2.x       Linux    not affected
    Player        1.x       Windows  not affected
    Player        1.x       Linux    not affected

    ACE           2.x       Windows  2.0.2 build 93057
    ACE           1.x       Windows  not affected

    Server        1.x       Windows  not affected
    Server        1.x       Linux    not affected

    Fusion        1.x       Mac OS/X not affected


4. Solution:

Please review the release notes for your product and version and verify the
md5sum of your downloaded file.

  VMware Workstation 6.0.4
  ------------------------
  http://www.vmware.com/download/ws/
  Release notes:
  http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html

  Windows binary
  md5sum: f50a05831e94c19d98f363c752fca5f9

  RPM Installation file for 32-bit Linux
  md5sum: e7793b14b995d3b505f093c84e849421

  tar Installation file for 32-bit Linux
  md5sum: a0a8e1d8188f4be03357872a57a767ab

  RPM Installation file for 64-bit Linux
  md5sum: 960d753038a268b8f101f4b853c0257e

  tar Installation file for 64-bit Linux
  md5sum: 4697ec8a9d6c1152d785f3b77db9d539

  VMware Player 2.0.4
  -------------------
  http://www.vmware.com/download/player/
  Release notes Player 1.x:
  http://www.vmware.com/support/player/doc/releasenotes_player.html
  Release notes Player 2.0
  http://www.vmware.com/support/player2/doc/releasenotes_player2.html

  2.0.4 Windows binary
  md5sum: a117664a8bfa7336b846117e5fc048dd

  VMware Player 2.0.4 for Linux (.rpm)
  md5sum: de6ab6364a0966b68eadda2003561cd2

  VMware Player 2.0.4 for Linux (.tar)
  md5sum: 9e1c2bfda6b22a3fc195a86aec11903a

  VMware Player 2.0.4 - 64-bit (.rpm)
  md5sum: 997e5ceffe72f9ce9146071144dacafa

  VMware Player 2.0.4 - 64-bit (.tar)
  md5sum: 18eb4ee49dd7e33ec155ef69d7d259ef

  VMware ACE
  ----------
  http://www.vmware.com/download/ace/
  Release notes 2.0:
  http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html

  VMware-workstation-6.0.4-93057.exe
  md5sum: f50a05831e94c19d98f363c752fca5f9

  VMware-ACE-Management-Server-Appliance-2.0.4-93057.zip
  md5sum: d2ae2246f3d87268cf84c1421d94e86c

  VMware-ACE-Management-Server-2.0.4-93057.exe
  md5sum: 41b31b3392d5da2cef77a7bb28654dbf

  VMware-ACE-Management-Server-2.0.4-93057.i386-rhel4.rpm
  md5sum: 9920be4c33773df53a1728b41af4b109

  VMware-ACE-Management-Server-2.0.4-93057.i386-sles9.rpm
  md5sum: 4ec4c37203db863e8844460b5e80920b


  VMware Fusion 1.1.3
  --------------
  http://www.vmware.com/download/fusion/
  Release notes:
  http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html
  md5sum: D15A3DFD3E7B11FC37AC684586086D


5. References:

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2098
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2099

6. Change log:

2008-05-30  VMSA-2008-0008    Initial release

- -------------------------------------------------------------------
7. Contact:

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce@lists.vmware.com
  * bugtraq@securityfocus.com
  * full-disclosure@lists.grok.org.uk

E-mail:  security@vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFIQEWfS2KysvBH1xkRCFnpAJ9wELSEn4Dn2J4ZjynwS2QL6u7qYQCfY0Xz
85diPDQG1kGmgZKr+6NKM8Y=
=ku8U
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
http://lists.vmware.com/mailman/listinfo/security-announce

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC