exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VMware Security Advisory 2008-0001

VMware Security Advisory 2008-0001
Posted Jan 8, 2008
Authored by VMware | Site vmware.com

VMware Security Advisory - Alexander Sotirov from VMware Security Research discovered a buffer overflow vulnerability in the OpenPegasus Management server. Additionally, various service console packages have been updated.

tags | advisory, overflow
advisories | CVE-2007-5360, CVE-2007-5398, CVE-2007-4572, CVE-2007-5191, CVE-2007-5116, CVE-2007-3108, CVE-2007-5135
SHA-256 | be7e78ccb4f20704221fb7366e2271392d4aa26ec0d833801cc6ea984541e69f

VMware Security Advisory 2008-0001

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


- -------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2008-0001
Synopsis: Moderate OpenPegasus PAM Authentication Buffer
Overflow and updated service console packages
Issue date: 2008-01-07
Updated on: 2008-01-07
CVE numbers: CVE-2007-5360 CVE-2007-5398 CVE-2007-4572
CVE-2007-5191 CVE-2007-5116 CVE-2007-3108
CVE-2007-5135
- -------------------------------------------------------------------

1. Summary:

Updated service console patches

2. Relevant releases:

ESX Server 3.0.2 without patches ESX-1002969, ESX-1002970, ESX-1002971,
ESX-1002975, ESX-1002976
ESX Server 3.0.1 without patches ESX-1002962, ESX-1002963, ESX-1002964,
ESX-1002968, ESX-1002972, ESX-1003176

3. Problem description:

I OpenPegasus PAM Authentication Buffer Overflow

Alexander Sotirov from VMware Security Research discovered a
buffer overflow vulnerability in the OpenPegasus Management server.
This flaw could be exploited by a malicious remote user on the
service console network to gain root access to the service console.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-5360 to this issue.

RPM Updated: pegasus-2.5-552927
VM Shutdown: No
Host Reboot: No

Note: ESX Server 3.5 and ESX Server 3i are not affected by this
issue.

ESX Server 3.0.2
https://download3.vmware.com/software/vi/ESX-1002970.tgz
md5sum: d19115e965d486e72100ce489efea707
https://kb.vmware.com/kb/1002970

ESX Server 3.0.1
https://download3.vmware.com/software/vi/ESX-1003176.tgz
md5sum: 5674ca0dcfac90726014cc316444996e
https://kb.vmware.com/kb/1003176

ESX Server 2.5.x

Users should remove the OpenPegasus CIM Management rpm. This
component is disabled by default, and VMware recommends that you
do not use this component of ESX Server 2.x. If you want to
use the CIM functionality, upgrade to ESX Server 3.0.1 or a later
release.

Note: This vulnerability can be exploited remotely only if the
attacker has access to the service console network.

Security best practices provided by VMware recommend that the
service console be isolated from the VM network. Please see
https://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.


II Service Console package security updates

a. Updated Samba package

An issue where attackers on the service console management
network can cause a stack-based buffer overflow in the
reply_netbios_packet function of nmbd in Samba. On systems
where Samba is being used as a WINS server, exploiting this
vulnerability can allow remote attackers to execute arbitrary
code via crafted WINS Name Registration requests followed by a
WINS Name Query request.

An issue where attackers on the service console management
network can exploit a vulnerability that occurs when Samba is
configured as a Primary or Backup Domain controller. The
vulnerability allows remote attackers to have an unknown impact
via crafted GETDC mailslot requests, related to handling of
GETDC logon server requests.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-5398 and CVE-2007-4572 to these
issues.

Note: By default Samba is not configured as a WINS server or a domain
controller and ESX is not vulnerable unless the administrator
has changed the default configuration.

This vulnerability can be exploited remotely only if the
attacker has access to the service console network.

Security best practices provided by VMware recommend that the
service console be isolated from the VM network. Please see
https://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.

RPM Updated:
samba-3.0.9-1.3E.14.1vmw
samba-client-3.0.9-1.3E.14.1vmw
samba-common-3.0.9-1.3E.14.1vmw

VM Shutdown: Yes
Host Reboot: Yes

ESX Server 3.5.0 is not affected by this issue

ESX Server 3.0.2
https://download3.vmware.com/software/vi/ESX-1002975.tgz
md5sum: 797a7494c2c4eb49629d3f94818df5dd
https://kb.vmware.com/kb/1002975

ESX Server 3.0.1
https://download3.vmware.com/software/vi/ESX-1002968.tgz
md5sum: 5106d90afaf77c3a0d8433487f937d06
https://kb.vmware.com/kb/1002968

ESX Server 2.5.5 download Upgrade Patch 3
ESX Server 2.5.4 download Upgrade Patch 14

b. Updated util-linux package

The patch addresses an issue where the mount and umount
utilities in util-linux call the setuid and setgid functions in
the wrong order and do not check the return values, which could
allow attackers to gain elevated privileges via helper
application such as mount.nfs.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-5191 to this issue.

RPM Updated:
util-linux-2.11y-31.24vmw
losetup-2.11y-31.24vmw
mount -2.11y-31.24vmw

VM Shutdown: Yes
Host Reboot: Yes

ESX Server 3.0.2
https://download3.vmware.com/software/vi/ESX-1002976.tgz
md5sum: 0fe833c50c0ecb0ff9340d6674be2e43
https://kb.vmware.com/kb/1002976

ESX Server 3.0.1
https://download3.vmware.com/software/vi/ESX-1002972.tgz
md5sum: 59ca4a43f330c5f0b7a55693aa952cdc
https://kb.vmware.com/kb/1002972


c. Updated Perl package

The update addresses an issue where the regular expression
engine in Perl can be used to issue a specially crafted regular
expression that allows the attacker to run arbitrary code with
the permissions level of the current Perl user.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-5116 to this issue.

RPM Updated:
perl-5.8.0-97.EL3

VM Shutdown: Yes
Host Reboot: Yes

ESX Server 3.0.2
https://download3.vmware.com/software/vi/ESX-1002971.tgz
md5sum: 337b09d9ae4b1694a045e216b69765e1
https://kb.vmware.com/kb/1002971

ESX Server 3.0.1
https://download3.vmware.com/software/vi/ESX-1002964.tgz
md5sum: d47e26104bfd5e4018ae645638c94487
https://kb.vmware.com/kb/1002964


d. Updated OpenSSL package

A flaw in the SSL_get_shared_ciphers() function can allow an
attacker to cause a buffer overflow problem by sending ciphers

to applications that use the function.

A possible vulnerability that would allow a local attacker to
obtain private RSA keys being used on a system using the OpenSSL
package.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-3108, and CVE-2007-5135 to these
issues.

RPM Updated:
openssl-0.9.7a-33.24

VM Shutdown: Yes
Host Reboot: Yes

ESX Server 3.0.2
https://download3.vmware.com/software/vi/ESX-1002969.tgz
md5sum: 72fd28a9f9380158db149259fbdcaa3b
https://kb.vmware.com/kb/1002969

ESX Server 3.0.1
https://download3.vmware.com/software/vi/ESX-1002962.tgz
md5sum: a0727bdc2e1a6f00d5fe77430a6ee9d6
https://kb.vmware.com/kb/1002962

ESX Server 2.5.5 download Upgrade Patch 3
ESX Server 2.5.4 download Upgrade Patch 14

4. Solution:

Please review the Patch notes for your product and version and verify
the md5sum of your downloaded file.

ESX Server 3.x Patches:
https://www.vmware.com/download/vi/vi3_patches.html

ESX Server 2.x Patches:
https://www.vmware.com/download/esx/esx2_patches.html

ESX Server 2.5.5 Upgrade Patch 3
https://download3.vmware.com/software/esx/esx-2.5.5-65742-upgrade.tar.gz
md5sum: 9068250fdd604e8787ef40995a4638f9
https://www.vmware.com/support/esx25/doc/esx-255-200712-patch.html

ESX Server 2.5.4 Upgrade Patch 14
https://download3.vmware.com/software/esx/esx-2.5.4-65752-upgrade.tar.gz
md5sum: 24990b9207f882ccc91545b6fc90273d
https://www.vmware.com/support/esx25/doc/esx-254-200712-patch.html

5. References:

CVE numbers
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5360
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5398
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4572
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5191
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5116
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135

- -------------------------------------------------------------------
6. Contact:

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce@lists.vmware.com
* bugtraq@securityfocus.com
* full-disclosure@lists.grok.org.uk

E-mail: security@vmware.com

Security web site
https://www.vmware.com/security

VMware security response policy
https://www.vmware.com/support/policies/security_response.html

General support life cycle policy
https://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
https://www.vmware.com/support/policies/eos_vi.html

Copyright 2008 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHgtXJS2KysvBH1xkRCPnYAJoDMpdOmgs4e+JQ610SCjnKF99wpgCfcVO3
UCcAvs574f1LCZv+8lPQvrk=
=Hzno
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close