ID CVE-2008-3692 Type cve Reporter NVD Modified 2018-10-31T11:33:06
Description
Unspecified vulnerability in a certain ActiveX control in VMware Workstation 5.5.x before 5.5.8 build 108000, VMware Workstation 6.0.x before 6.0.5 build 109488, VMware Player 1.x before 1.0.8 build 108000, VMware Player 2.x before 2.0.5 build 109488, VMware ACE 1.x before 1.0.7 build 108880, VMware ACE 2.x before 2.0.5 build 109488, and VMware Server before 1.0.7 build 108231 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-3691, CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, and CVE-2008-3696.
{"seebug": [{"lastseen": "2017-11-19T21:34:55", "bulletinFamily": "exploit", "description": "BUGTRAQ ID:30934\r\nCVE ID\uff1aCVE-2008-3691\r\n CVE-2008-3692\r\n CVE-2008-3693\r\n CVE-2008-3694\r\n CVE-2008-3695\r\n CVE-2008-3696\r\nCNCVE ID\uff1aCNCVE-20083691\r\n CNCVE-20083692\r\n CNCVE-20083693\r\n CNCVE-20083694\r\n CNCVE-20083695\r\n CNCVE-20083696\r\n\r\nVMWare\u662f\u4e00\u6b3e\u865a\u62dfPC\u8f6f\u4ef6\uff0c\u5141\u8bb8\u5728\u4e00\u53f0\u673a\u5668\u4e0a\u540c\u65f6\u8fd0\u884c\u4e24\u4e2a\u6216\u591a\u4e2aWindows\u3001DOS\u3001LINUX\u7cfb\u7edf\u3002\r\n\u591a\u4e2aVMWare ActiveX\u63a7\u4ef6\u5b58\u5728\u591a\u4e2a\u672a\u660e\u5b89\u5168\u95ee\u9898\uff0c\u76ee\u524d\u6ca1\u6709\u4efb\u4f55\u76f8\u5173\u4fe1\u606f\u63d0\u4f9b\u3002\n\nVMWare Workstation 6.0.5 build 109488\r\nVMWare Workstation 6.0.5 \r\nVMWare Workstation 5.5.8 build 108000\r\nVMWare Workstation 5.5.8 \r\nVMWare Server 1.0.7 build 108231\r\nVMWare Server 1.0.7 \r\nVMWare Player 2.0.5 build 109488\r\nVMWare Player 2.0.5 \r\nVMWare Player 1.0.8 build 108000\r\nVMWare Player 1.0.8 \r\nVMWare Fusion 1.1.2 \r\nVMWare Fusion 1.1.1 \r\nVMWare Fusion 1.1 \r\nVMWare Fusion 1.1.2 build 87978\r\nVMWare Fusion 1.0\r\nVMWare ACE 2.0.5 build 109488\r\nVMWare ACE 2.0.5 \r\nVMWare ACE 1.0.7 build 108880\r\nVMWare ACE 1.0.7\n \u76ee\u524d\u4f9b\u5e94\u5546\u5df2\u7ecf\u63d0\u4f9b\u5347\u7ea7\u7a0b\u5e8f\uff0c\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\n<a href=http://www.vmware.com/ target=_blank>http://www.vmware.com/</a>", "modified": "2008-09-01T00:00:00", "published": "2008-09-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-3950", "id": "SSV:3950", "title": "VMware\u5b58\u5728\u591a\u4e2a\u5b89\u5168\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "nessus": [{"lastseen": "2019-02-21T01:11:10", "bulletinFamily": "scanner", "description": "A VMware product installed on the remote host is affected by multiple vulnerabilities :\n\n - ActiveX controls provided by VMware for IE could be exploited to cause a denial of service condition or execute arbitrary code on the remote system.\n (CVE-2007-5438, CVE-2008-3691-CVE-2008-3696, CVE-2008-3892)\n\n - Internet Server Application Programming Interface (ISAPI) extensions provided by VMware are affected by a remote denial of service vulnerability.\n (CVE-2008-3697)\n\n - Certain VMware products running as host systems are affected by a local privilege escalation vulnerability.\n Successful exploitation of this issue would allow users to execute arbitrary code on the system.\n (CVE-2008-3698)\n\n - A flaw in VMware's CPU hardware emulation could result in privilege escalation on guest systems running on 64-bit operating systems. (CVE-2008-4279)", "modified": "2018-11-15T00:00:00", "id": "VMWARE_MULTIPLE_VMSA_2008_0014.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=34156", "published": "2008-09-10T00:00:00", "title": "VMware Products Multiple Vulnerabilities (VMSA-2008-0014)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(34156);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\n \"CVE-2007-5438\",\n \"CVE-2008-3691\",\n \"CVE-2008-3692\",\n \"CVE-2008-3693\",\n \"CVE-2008-3694\",\n \"CVE-2008-3695\",\n \"CVE-2008-3696\",\n \"CVE-2008-3697\",\n \"CVE-2008-3698\",\n \"CVE-2008-3892\",\n \"CVE-2008-4279\"\n );\n script_bugtraq_id(26025, 30934, 30935, 30936, 31569);\n script_xref(name:\"VMSA\", value:\"2008-0014\");\n script_xref(name:\"Secunia\", value:\"31310\");\n script_xref(name:\"Secunia\", value:\"31707\");\n script_xref(name:\"Secunia\", value:\"31708\");\n script_xref(name:\"Secunia\", value:\"31709\");\n\n script_name(english:\"VMware Products Multiple Vulnerabilities (VMSA-2008-0014)\");\n script_summary(english:\"Checks versions of multiple VMware products\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an application that is affected by\nmultiple issues.\");\n script_set_attribute(attribute:\"description\", value:\n\"A VMware product installed on the remote host is affected by multiple\nvulnerabilities :\n\n - ActiveX controls provided by VMware for IE could be\n exploited to cause a denial of service condition or\n execute arbitrary code on the remote system.\n (CVE-2007-5438, CVE-2008-3691-CVE-2008-3696,\n CVE-2008-3892)\n\n - Internet Server Application Programming Interface\n (ISAPI) extensions provided by VMware are affected\n by a remote denial of service vulnerability.\n (CVE-2008-3697)\n\n - Certain VMware products running as host systems are\n affected by a local privilege escalation vulnerability.\n Successful exploitation of this issue would allow\n users to execute arbitrary code on the system.\n (CVE-2008-3698)\n\n - A flaw in VMware's CPU hardware emulation could result\n in privilege escalation on guest systems running on\n 64-bit operating systems. (CVE-2008-4279)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/archive/1/495869/100/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2008/Oct/51\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2008-0014.html\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2008-0016.html\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to :\n\n - VMware Workstation 6.0.5/5.5.8 or higher.\n - VMware Player 2.0.5/1.0.8 or higher.\n - VMware Server 1.0.7 or higher.\n - VMware ACE 2.0.5/1.0.7 or higher.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 119, 264);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/09/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:ace\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:vmware:vmware_player\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:vmware:vmware_server\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:vmware:vmware_workstation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"vmware_workstation_detect.nasl\",\"vmware_server_win_detect.nasl\", \"vmware_player_detect.nasl\",\"vmware_ace_detect.nasl\");\n script_require_ports(\"VMware/Server/Version\", \"VMware/ACE/Version\", \"VMware/Player/Version\", \"VMware/Workstation/Version\", 139, 445);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nport = kb_smb_transport();\n\n# Check for VMware Workstation\n\nversion = get_kb_item(\"VMware/Workstation/Version\");\nif (version)\n{\n v = split(version, sep:\".\", keep:FALSE);\n for (i=0; i<max_index(v); i++)\n v[i] = int(v[i]);\n\n if (( v[0] < 5 ) ||\n ( v[0] == 5 && v[1] < 5 ) ||\n ( v[0] == 5 && v[1] == 5 && v[2] < 8 ) ||\n ( v[0] == 6 && v[1] == 0 && v[2] < 5 )\n )\n {\n if (report_verbosity > 0)\n {\n report = string(\n \"\\n\",\n \"Version \",version,\" of VMware Workstation is installed on the remote host.\",\n \"\\n\"\n );\n security_hole(port:port, extra:report);\n }\n else\n \t security_hole(port);\n }\n}\n\n# Check for VMware Server\n\nversion = get_kb_item(\"VMware/Server/Version\");\nif (version)\n{\n v = split(version, sep:\".\", keep:FALSE);\n for (i=0; i<max_index(v); i++)\n v[i] = int(v[i]);\n\n if ( ( v[0] < 1 ) ||\n ( v[0] == 1 && v[1] == 0 && v[2] < 7 )\n )\n {\n if (report_verbosity > 0)\n {\n report = string(\n \"\\n\",\n \"Version \",version,\" of VMware Server is installed on the remote host.\",\n \"\\n\"\n );\n security_hole(port:port, extra:report);\n }\n else\n \tsecurity_hole(port);\n }\n}\n\n# Check for VMware Player\n\nversion = get_kb_item(\"VMware/Player/Version\");\nif (version)\n{\n v = split(version, sep:\".\", keep:FALSE);\n for (i=0; i<max_index(v); i++)\n v[i] = int(v[i]);\n\n if ( ( v[0] < 1 ) ||\n ( v[0] == 1 && v[1] == 0 && v[2] < 8 ) ||\n ( v[0] == 2 && v[1] == 0 && v[2] < 5 )\n )\n {\n if (report_verbosity > 0)\n {\n report = string(\n \"\\n\",\n \"Version \",version,\" of VMware Player is installed on the remote host.\",\n \"\\n\"\n );\n security_hole(port:port, extra:report);\n }\n else\n security_hole(port);\n }\n}\n\n# Check for VMware ACE.\n\nversion = get_kb_item(\"VMware/ACE/Version\");\nif (version)\n{\n v = split(version, sep:\".\", keep:FALSE);\n\n for (i=0; i<max_index(v); i++)\n v[i] = int(v[i]);\n\n if (( v[0] == 1 && v[1] == 0 && v[2] < 7 ) ||\n ( v[0] == 2 && v[1] == 0 && v[2] < 5 )\n )\n {\n if (report_verbosity > 0)\n {\n report = string(\n \"\\n\",\n \"Version \",version,\" of VMware ACE is installed on the remote host.\",\n \"\\n\"\n );\n security_hole(port:port, extra:report);\n }\n else\n security_hole(port);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:12:13", "bulletinFamily": "scanner", "description": "I Security Issues\n\n a. Setting ActiveX kill bit\n\n Starting from this release, VMware has set the kill bit on its ActiveX controls. Setting the kill bit ensures that ActiveX controls cannot run in Internet Explorer (IE), and avoids security issues involving ActiveX controls in IE. See the Microsoft KB article 240797 and the related references on this topic.\n\n Security vulnerabilities have been reported for ActiveX controls provided by VMware when run in IE. Under specific circumstances, exploitation of these ActiveX controls might result in denial-of- service or can allow running of arbitrary code when the user browses a malicious Web site or opens a malicious file in IE browser. An attempt to run unsafe ActiveX controls in IE might result in pop-up windows warning the user.\n Note: IE can be configured to run unsafe ActiveX controls without prompting. VMware recommends that you retain the default settings in IE, which prompts when unsafe actions are requested.\n\n Earlier, VMware had issued knowledge base articles, KB 5965318 and KB 9078920 on security issues with ActiveX controls. To avoid malicious scripts that exploit ActiveX controls, do not enable unsafe ActiveX objects in your browser settings. As a best practice, do not browse untrusted Web sites as an administrator and do not click OK or Yes if prompted by IE to allow certain actions.\n\n VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai, and Michal Bucko for reporting these issues to us.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2008-3691, CVE-2008-3692, CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and CVE-2008-3696 to the security issues with VMware ActiveX controls.\n\n b. VMware ISAPI Extension Denial of Service\n\n The Internet Server Application Programming Interface (ISAPI) is an API that extends the functionality of Internet Information Server (IIS). VMware uses ISAPI extensions in its Server product.\n\n One of the ISAPI extensions provided by VMware is vulnerable to a remote denial of service. By sending a malformed request, IIS might shut down. IIS 6.0 restarts automatically. However, IIS 5.0 does not restart automatically when its Startup Type is set to Manual.\n\n VMware would like to thank the Juniper Networks J-Security Security Research Team for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3697 to this issue.\n\n c. OpenProcess Local Privilege Escalation on Host System\n\n This release fixes a privilege escalation vulnerability in host systems. Exploitation of this vulnerability allows users to run arbitrary code on the host system with elevated privileges.\n\n VMware would like to thank Sun Bing from McAfee, Inc. for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3698 to this issue.\n\n d. Update to Freetype\n\n FreeType 2.3.6 resolves an integer overflow vulnerability and other vulnerabilities that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted file. This release updates FreeType to 2.3.7.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.com) has assigned the names CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808 to the issues resolved in Freetype 2.3.6.\n\n e. Update to Cairo\n\n Cairo 1.4.12 resolves an integer overflow vulnerability that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted PNG file.\n This release updates Cairo to 1.4.14.\n\n The Common Vulnerabilities and Exposures (cve.mitre.com) has assigned the name CVE-2007-5503 to this issue.\n\n f. VMware Consolidated Backup (VCB) command-line utilities may expose sensitive information\n\n VMware Consolidated Backup command-line utilities accept the user password through the -p command-line option. Users logged into the ESX service console or into the system that runs VCB could gain access to the username and password used by VCB command-line utilities when such commands are running.\n\n The ESX patch and the new version of VCB resolve this issue by providing an alternative way of passing the password used by VCB command-line utilities.\n\n VCB in ESX\n ---------- The following options are recommended for passing the password :\n\n 1. The password is specified in /etc/backuptools.conf (PASSWORD=xxxxx), and -p is not used in the command line.\n /etc/backuptools.conf file permissions are read/write only for root.\n\n 2. No password is specified in /etc/backuptools.conf and the\n -p option is not used in the command line. The user will be prompted to enter a password.\n\n ESX is not affected unless you use VCB.\n\n Stand-alone VCB\n --------------- The following options are recommended for passing the password :\n\n 1. The password is specified in config.js (PASSWORD=xxxxx), and -p is not used in the command line. The file permissions on config.js are read/write only for the administrator. The config.js file is located in folder 'config' of the VCB installation folder. For example, C:\\Program Files\\Vmware\\Vmware Consolidated Backup Framework\\config.\n\n 2. The password is specified in the registry, and is not specified in config.js, and -p is not used in the command line. Access to the registry key holding the password is allowed only to the administrator.\n The location of the registry key is :\n On Windows x86: HKEY_LOCAL_MACHINE\\SOFTWARE\\VMware, Inc.\\ VMware Consolidated Backup\\Password On Windows x64: HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\ VMware, Inc.\\VMware Consolidated Backup\\Password\n\n 3. The password is not specified in the registry, and is not specified in config.js, and -p is not used in the command line. The user will be prompted to enter a password.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2101 to this issue.\n\n g. Third-Party Library libpng Updated to 1.2.29\n\n Several flaws were discovered in the way third-party library libpng handled various PNG image chunks. An attacker could create a carefully crafted PNG image file in such a way that it causes an application linked with libpng to crash when the file is manipulated.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5269 to this issue.\n\n NOTE: There are multiple patches required to remediate the issue.\n\nII ESX Service Console rpm updates\n\n a. update to bind\n\n This update upgrades the service console rpms for bind-utils and bind-lib to version 9.2.4-22.el3.\n\n Version 9.2.4.-22.el3 addresses the recently discovered vulnerability in the BIND software used for Domain Name resolution (DNS). VMware doesn't install all the BIND packages on ESX Server and is not vulnerable by default to the reported vulnerability. Of the BIND packages, VMware only ships bind-util and bind-lib in the service console and these components by themselves cannot be used to setup a DNS server. Bind-lib and bind-util are used in client DNS applications like nsupdate, nslookup, etc.\n\n VMware explicitly discourages installing applications like BIND on the service console. In case the customer has installed BIND, and the DNS server is configured to support recursive queries, their ESX Server system is affected and they should replace BIND with a patched version.\n\n Note: ESX Server will use the DNS server on the network it is on, so it is important to patch that DNS server.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-1447 to this issue.", "modified": "2018-08-06T00:00:00", "id": "VMWARE_VMSA-2008-0014.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=40382", "published": "2009-07-27T00:00:00", "title": "VMSA-2008-0014 : Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX, VMware VCB address information disclosure, privilege escalation and other security issues.", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from VMware Security Advisory 2008-0014. \n# The text itself is copyright (C) VMware Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(40382);\n script_version(\"1.40\");\n script_cvs_date(\"Date: 2018/08/06 14:03:16\");\n\n script_cve_id(\"CVE-2007-5269\", \"CVE-2007-5438\", \"CVE-2007-5503\", \"CVE-2008-1447\", \"CVE-2008-1806\", \"CVE-2008-1807\", \"CVE-2008-1808\", \"CVE-2008-2101\", \"CVE-2008-3691\", \"CVE-2008-3692\", \"CVE-2008-3693\", \"CVE-2008-3694\", \"CVE-2008-3695\", \"CVE-2008-3696\", \"CVE-2008-3697\", \"CVE-2008-3698\", \"CVE-2008-4194\");\n script_bugtraq_id(25956, 26650, 29637, 29639, 29640, 29641, 30131);\n script_xref(name:\"VMSA\", value:\"2008-0014\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"VMSA-2008-0014 : Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX, VMware VCB address information disclosure, privilege escalation and other security issues.\");\n script_summary(english:\"Checks esxupdate output for the patches\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote VMware ESXi / ESX host is missing one or more\nsecurity-related patches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"I Security Issues\n\n a. Setting ActiveX kill bit\n\n Starting from this release, VMware has set the kill bit on its\n ActiveX controls. Setting the kill bit ensures that ActiveX\n controls cannot run in Internet Explorer (IE), and avoids\n security issues involving ActiveX controls in IE. See the\n Microsoft KB article 240797 and the related references on this\n topic.\n\n Security vulnerabilities have been reported for ActiveX controls\n provided by VMware when run in IE. Under specific circumstances,\n exploitation of these ActiveX controls might result in denial-of-\n service or can allow running of arbitrary code when the user\n browses a malicious Web site or opens a malicious file in IE\n browser. An attempt to run unsafe ActiveX controls in IE might\n result in pop-up windows warning the user.\n \n Note: IE can be configured to run unsafe ActiveX controls without\n prompting. VMware recommends that you retain the default\n settings in IE, which prompts when unsafe actions are\n requested.\n\n Earlier, VMware had issued knowledge base articles, KB 5965318 and\n KB 9078920 on security issues with ActiveX controls. To avoid\n malicious scripts that exploit ActiveX controls, do not enable\n unsafe ActiveX objects in your browser settings. As a best\n practice, do not browse untrusted Web sites as an administrator\n and do not click OK or Yes if prompted by IE to allow certain\n actions.\n\n VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai,\n and Michal Bucko for reporting these issues to us.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.org)\n has assigned the names CVE-2008-3691, CVE-2008-3692,\n CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and\n CVE-2008-3696 to the security issues with VMware ActiveX controls.\n\n b. VMware ISAPI Extension Denial of Service\n\n The Internet Server Application Programming Interface (ISAPI) is\n an API that extends the functionality of Internet Information\n Server (IIS). VMware uses ISAPI extensions in its Server product.\n\n One of the ISAPI extensions provided by VMware is vulnerable to a\n remote denial of service. By sending a malformed request, IIS\n might shut down. IIS 6.0 restarts automatically. However, IIS 5.0\n does not restart automatically when its Startup Type is set to\n Manual.\n\n VMware would like to thank the Juniper Networks J-Security\n Security Research Team for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.org)\n has assigned the name CVE-2008-3697 to this issue.\n\n c. OpenProcess Local Privilege Escalation on Host System\n\n This release fixes a privilege escalation vulnerability in host\n systems. Exploitation of this vulnerability allows users to run\n arbitrary code on the host system with elevated privileges.\n\n VMware would like to thank Sun Bing from McAfee, Inc. for\n reporting this issue to us.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.org)\n has assigned the name CVE-2008-3698 to this issue.\n\n d. Update to Freetype\n\n FreeType 2.3.6 resolves an integer overflow vulnerability and other\n vulnerabilities that can allow malicious users to run arbitrary code\n or might cause a denial-of-service after reading a maliciously\n crafted file. This release updates FreeType to 2.3.7.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.com)\n has assigned the names CVE-2008-1806, CVE-2008-1807, and\n CVE-2008-1808 to the issues resolved in Freetype 2.3.6.\n\n e. Update to Cairo\n\n Cairo 1.4.12 resolves an integer overflow vulnerability that can\n allow malicious users to run arbitrary code or might cause a\n denial-of-service after reading a maliciously crafted PNG file.\n This release updates Cairo to 1.4.14.\n\n The Common Vulnerabilities and Exposures (cve.mitre.com) has\n assigned the name CVE-2007-5503 to this issue.\n\n f. VMware Consolidated Backup (VCB) command-line utilities may expose\n sensitive information\n\n VMware Consolidated Backup command-line utilities accept the user\n password through the -p command-line option. Users logged into the\n ESX service console or into the system that runs VCB could gain\n access to the username and password used by VCB command-line\nutilities\n when such commands are running.\n\n The ESX patch and the new version of VCB resolve this issue by\n providing an alternative way of passing the password used by VCB\n command-line utilities.\n\n VCB in ESX\n ----------\n The following options are recommended for passing the password :\n\n 1. The password is specified in /etc/backuptools.conf\n (PASSWORD=xxxxx), and -p is not used in the command line.\n /etc/backuptools.conf file permissions are read/write only\n for root.\n\n 2. No password is specified in /etc/backuptools.conf and the\n -p option is not used in the command line. The user will be\n prompted to enter a password.\n\n ESX is not affected unless you use VCB.\n\n Stand-alone VCB\n ---------------\n The following options are recommended for passing the password :\n\n 1. The password is specified in config.js (PASSWORD=xxxxx), and -p\n is not used in the command line. The file permissions on config.js\n are read/write only for the administrator. The config.js file is\n located in folder 'config' of the VCB installation folder. For\nexample,\n C:\\Program Files\\Vmware\\Vmware Consolidated Backup Framework\\config.\n\n 2. The password is specified in the registry, and is not specified in\n config.js, and -p is not used in the command line. Access to the\n registry key holding the password is allowed only to the\nadministrator.\n The location of the registry key is :\n On Windows x86: HKEY_LOCAL_MACHINE\\SOFTWARE\\VMware, Inc.\\\n VMware Consolidated Backup\\Password\n On Windows x64: HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\\n VMware, Inc.\\VMware Consolidated Backup\\Password\n\n 3. The password is not specified in the registry, and is not\nspecified in\n config.js, and -p is not used in the command line. The user will be\n prompted to enter a password.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2008-2101 to this issue.\n\n g. Third-Party Library libpng Updated to 1.2.29\n\n Several flaws were discovered in the way third-party library\n libpng handled various PNG image chunks. An attacker could\n create a carefully crafted PNG image file in such a way that\n it causes an application linked with libpng to crash when the\n file is manipulated.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2007-5269 to this issue.\n\n NOTE: There are multiple patches required to remediate the issue.\n\nII ESX Service Console rpm updates\n\n a. update to bind\n\n This update upgrades the service console rpms for bind-utils and\n bind-lib to version 9.2.4-22.el3.\n\n Version 9.2.4.-22.el3 addresses the recently discovered\n vulnerability in the BIND software used for Domain Name\n resolution (DNS). VMware doesn't install all the BIND packages\n on ESX Server and is not vulnerable by default to the reported\n vulnerability. Of the BIND packages, VMware only ships bind-util\n and bind-lib in the service console and these components by\n themselves cannot be used to setup a DNS server. Bind-lib and\n bind-util are used in client DNS applications like nsupdate,\n nslookup, etc.\n\n VMware explicitly discourages installing applications like BIND\n on the service console. In case the customer has installed BIND,\n and the DNS server is configured to support recursive queries,\n their ESX Server system is affected and they should replace BIND\n with a patched version.\n\n Note: ESX Server will use the DNS server on the network it is\n on, so it is important to patch that DNS server.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2008-1447 to this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.vmware.com/pipermail/security-announce/2008/000040.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply the missing patches.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 189, 200, 264, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:2.5.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:2.5.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:3.0.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:3.0.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:3.0.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:3.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:3.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/27\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/10/05\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n script_family(english:\"VMware ESX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/VMware/release\", \"Host/VMware/version\");\n script_require_ports(\"Host/VMware/esxupdate\", \"Host/VMware/esxcli_software_vibs\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"vmware_esx_packages.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/VMware/release\")) audit(AUDIT_OS_NOT, \"VMware ESX / ESXi\");\nif (\n !get_kb_item(\"Host/VMware/esxcli_software_vibs\") &&\n !get_kb_item(\"Host/VMware/esxupdate\")\n) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ninit_esx_check(date:\"2008-08-29\");\nflag = 0;\n\n\nif (esx_check(ver:\"ESX 2.5.4\", patch:\"20\")) flag++;\n\nif (esx_check(ver:\"ESX 2.5.5\", patch:\"10\")) flag++;\n\nif (esx_check(ver:\"ESX 3.0.1\", patch:\"ESX-1004823\")) flag++;\nif (esx_check(ver:\"ESX 3.0.1\", patch:\"ESX-1005108\")) flag++;\nif (esx_check(ver:\"ESX 3.0.1\", patch:\"ESX-1005111\")) flag++;\nif (esx_check(ver:\"ESX 3.0.1\", patch:\"ESX-1005112\")) flag++;\nif (esx_check(ver:\"ESX 3.0.1\", patch:\"ESX-1005117\")) flag++;\n\nif (esx_check(ver:\"ESX 3.0.2\", patch:\"ESX-1005109\")) flag++;\nif (esx_check(ver:\"ESX 3.0.2\", patch:\"ESX-1005113\")) flag++;\nif (esx_check(ver:\"ESX 3.0.2\", patch:\"ESX-1005114\")) flag++;\n\nif (\n esx_check(\n ver : \"ESX 3.0.3\",\n patch : \"ESX303-200808403-SG\",\n patch_updates : make_list(\"ESX303-201002201-UG\", \"ESX303-Update01\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 3.0.3\",\n patch : \"ESX303-200808404-SG\",\n patch_updates : make_list(\"ESX303-201002201-UG\", \"ESX303-Update01\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 3.0.3\",\n patch : \"ESX303-200808406-SG\",\n patch_updates : make_list(\"ESX303-201002205-UG\", \"ESX303-Update01\")\n )\n) flag++;\n\nif (\n esx_check(\n ver : \"ESX 3.5.0\",\n patch : \"ESX350-200808409-SG\",\n patch_updates : make_list(\"ESX350-201002404-SG\", \"ESX350-Update04\", \"ESX350-Update05\", \"ESX350-Update05a\")\n )\n) flag++;\n\nif (esx_check(ver:\"ESXi 3.5.0\", patch:\"ESXe350-200808501-I-SG\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "vmware": [{"lastseen": "2018-09-02T02:40:42", "bulletinFamily": "unix", "description": "I Security Issues \n \na. Setting ActiveX killbit \nStarting from this release, VMware has set the killbit on its \nActiveX controls. Setting the killbit ensures that ActiveX \ncontrols cannot run in Internet Explorer (IE), and avoids \nMicrosoft KB article 240797 and the related references on this \ntopic. \nSecurity vulnerabilities have been reported for ActiveX controls \nprovided by VMware when run in IE. Under specific circumstances, \nexploitation of these ActiveX controls might result in denial-of- \nservice or can allow running of arbitrary code when the user \nbrowses a malicious Web site or opens a malicious file in IE \nbrowser. An attempt to run unsafe ActiveX controls in IE might \nresult in pop-up windows warning the user. \nNote: IE can be configured to run unsafe ActiveX controls without \nprompting. VMware recommends that you retain the default \nsettings in IE, which prompts when unsafe actions are \nrequested. \nEarlier, VMware had issued knowledge base articles, KB 5965318 and \nKB 9078920 on security issues with ActiveX controls. To avoid \nmalicious scripts that exploit ActiveX controls, do not enable \nunsafe ActiveX objects in your browser settings. As a best \npractice, do not browse untrusted Web sites as an administrator \nand do not click OK or Yes if prompted by IE to allow certain \nactions. \nVMware would like to thank Julien Bachmann, Shennan Wang, Shinnai, \nand Michal Bucko for reporting these issues to us. \nThe Common Vulnerabilities and Exposures Project (cve.mitre.org) \nhas assigned the names CVE-2008-3691, CVE-2008-3692, \nCVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and \nCVE-2008-3696 to the security issues with VMware ActiveX controls. \n\n", "modified": "2008-10-31T00:00:00", "published": "2008-08-29T00:00:00", "id": "VMSA-2008-0014", "href": "https://www.vmware.com/security/advisories/VMSA-2008-0014.html", "title": "Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX, VMware VCB address information disclosure, privilege escalation and other security issues.", "type": "vmware", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:30", "bulletinFamily": "software", "description": "Multiple ActiveX vulnerabilities, privilege escalation, ISAPI filters DoS, third party components updates.", "modified": "2008-09-02T00:00:00", "published": "2008-09-02T00:00:00", "id": "SECURITYVULNS:VULN:9255", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9255", "title": "VMWare multiple applications security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:27", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA256\r\n\r\n- ------------------------------------------------------------------------\r\n VMware Security Advisory\r\n\r\nAdvisory ID: VMSA-2008-0014\r\nSynopsis: Updates to VMware Workstation, VMware Player,\r\n VMware ACE, VMware Server, VMware ESX address\r\n information disclosure, privilege escalation and\r\n other security issues.\r\nIssue date: 2008-08-29\r\nUpdated on: 2008-08-29 (initial release of advisory)\r\nCVE numbers: CVE-2008-2101 CVE-2007-5269 CVE-2008-1447\r\n CVE-2008-3691 CVE-2008-3692 CVE-2008-3693\r\n CVE-2008-3694 CVE-2008-3695 CVE-2007-5438\r\n CVE-2008-3696 CVE-2008-3697 CVE-2008-3698\r\n CVE-2008-1806 CVE-2008-1807 CVE-2008-1808\r\n CVE-2007-5503\r\n- --------------------------------------------------------------------------\r\n\r\n1. Summary\r\n\r\n Updates to VMware Workstation, VMware Player, VMware ACE, VMware\r\n Server, VMware ESX address information disclosure, privilege\r\n escalation and other security issues.\r\n\r\n2. Relevant releases\r\n\r\n VMware Workstation 6.0.4 and earlier,\r\n VMware Workstation 5.5.7 and earlier,\r\n VMware Player 2.0.4 and earlier,\r\n VMware Player 1.0.7 and earlier,\r\n VMware ACE 2.0.4 and earlier,\r\n VMware ACE 1.0.6 and earlier,\r\n VMware Server 1.0.6 and earlier,\r\n\r\n VMware ESX 3.0.3 without patches ESX303-200808404-SG, ESX303-200808403-SG\r\n ESX303-200808406-SG.\r\n\r\n\r\n VMware ESX 3.0.2 without patches ESX-1005109, ESX-1005113,\r\n ESX-1005114.\r\n\r\n VMware ESX 3.0.1 without patches ESX-1005108, ESX-1005112,\r\n ESX-1005111, ESX-1004823,\r\n ESX-1005117.\r\n\r\n NOTE: Hosted products VMware Workstation 5.x, VMware Player 1.x,\r\n and VMware ACE 1.x will reach end of general support\r\n 2008-11-09. Customers should plan to upgrade to the latest\r\n version of their respective products.\r\n\r\n Extended support (Security and Bug fixes) for ESX 3.0.2 ends\r\n on 10/29/2008 and Extended support for ESX 3.0.2 Update 1\r\n ends on 8/8/2009. Users should plan to upgrade to ESX 3.0.3\r\n and preferably to the newest release available.\r\n\r\n Extended Support (Security and Bug fixes) for ESX 3.0.1 has\r\n ended on 2008-07-31. The 3.0.1 patches are released in\r\n August because there was no patch release in July.\r\n\r\n3. Problem Description\r\n\r\n I Security Issues\r\n\r\n a. Setting ActiveX killbit\r\n\r\n Starting from this release, VMware has set the killbit on its\r\n ActiveX controls. Setting the killbit ensures that ActiveX\r\n controls cannot run in Internet Explorer (IE), and avoids\r\n security issues involving ActiveX controls in IE. See the\r\n Microsoft KB article 240797 and the related references on this\r\n topic.\r\n\r\n Security vulnerabilities have been reported for ActiveX controls\r\n provided by VMware when run in IE. Under specific circumstances,\r\n exploitation of these ActiveX controls might result in denial-of-\r\n service or can allow running of arbitrary code when the user\r\n browses a malicious Web site or opens a malicious file in IE\r\n browser. An attempt to run unsafe ActiveX controls in IE might\r\n result in pop-up windows warning the user.\r\n\r\n Note: IE can be configured to run unsafe ActiveX controls without\r\n prompting. VMware recommends that you retain the default\r\n settings in IE, which prompts when unsafe actions are\r\n requested.\r\n\r\n Earlier, VMware had issued knowledge base articles, KB 5965318 and\r\n KB 9078920 on security issues with ActiveX controls. To avoid\r\n malicious scripts that exploit ActiveX controls, do not enable\r\n unsafe ActiveX objects in your browser settings. As a best\r\n practice, do not browse untrusted Web sites as an administrator\r\n and do not click OK or Yes if prompted by IE to allow certain\r\n actions.\r\n\r\n VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai,\r\n and Michal Bucko for reporting these issues to us.\r\n\r\n The Common Vulnerabilities and Exposures Project (cve.mitre.org)\r\n has assigned the names CVE-2008-3691, CVE-2008-3692,\r\n CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and\r\n CVE-2008-3696 to the security issues with VMware ActiveX controls.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n Workstation 6.x Windows 6.0.5 build 109488 or later\r\n Workstation 6.x Linux not affected\r\n Workstation 5.x Windows 5.5.8 build 108000 or later\r\n Workstation 5.x Linux not affected\r\n\r\n Player 2.x Windows 2.0.5 build 109488 or later\r\n Player 2.x Linux not affected\r\n Player 1.x Windows 1.0.8 build or later\r\n Player 1.x Linux not affected\r\n\r\n ACE 2.x Windows 2.0.5 build 109488 or later\r\n ACE 1.x Windows 1.0.7 build 108880 or later\r\n\r\n Server 1.x Windows 1.0.7 build 108231 or later\r\n Server 1.x Linux not affected\r\n\r\n Fusion 1.x Mac OS/X not affected\r\n\r\n ESXi 3.5 ESXi not affected\r\n\r\n ESX any ESX not affected\r\n\r\n\r\n b. VMware ISAPI Extension Denial of Service\r\n\r\n The Internet Server Application Programming Interface (ISAPI) is\r\n an API that extends the functionality of Internet Information\r\n Server (IIS). VMware uses ISAPI extensions in its Server product.\r\n\r\n One of the ISAPI extensions provided by VMware is vulnerable to a\r\n remote denial of service. By sending a malformed request, IIS\r\n might shut down. IIS 6.0 restarts automatically. However, IIS 5.0\r\n does not restart automatically when its Startup Type is set to\r\n Manual.\r\n\r\n VMware would like to thank the Juniper Networks J-Security\r\n Security Research Team for reporting this issue to us.\r\n\r\n The Common Vulnerabilities and Exposures Project (cve.mitre.org)\r\n has assigned the name CVE-2008-3697 to this issue.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n Workstation 6.x Windows not affected\r\n Workstation 6.x Linux not affected\r\n Workstation 5.x Windows not affected\r\n Workstation 5.x Linux not affected\r\n\r\n Player 2.x Windows not affected\r\n Player 2.x Linux not affected\r\n Player 1.x Windows not affected\r\n Player 1.x Linux not affected\r\n\r\n ACE 2.x Windows not affected\r\n ACE 1.x Windows not affected\r\n\r\n Server 1.x Windows 1.0.7 build 108231 or later\r\n Server 1.x Linux not affected\r\n\r\n Fusion 1.x Mac OS/X not affected\r\n\r\n ESXi 3.5 ESXi not affected\r\n\r\n ESX any ESX not affected\r\n\r\n c. OpenProcess Local Privilege Escalation on Host System\r\n\r\n This release fixes a privilege escalation vulnerability in host\r\n systems. Exploitation of this vulnerability allows users to run\r\n arbitrary code on the host system with elevated privileges.\r\n\r\n VMware would like to thank Sun Bing from McAfee, Inc. for\r\n reporting this issue to us.\r\n\r\n The Common Vulnerabilities and Exposures Project (cve.mitre.org)\r\n has assigned the name CVE-2008-3698 to this issue.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n Workstation 6.x Windows not affected\r\n Workstation 6.x Linux not affected\r\n Workstation 5.x Windows 5.5.8 build 108000 or later\r\n Workstation 5.x Linux not affected\r\n\r\n Player 2.x Windows not affected\r\n Player 2.x Linux not affected\r\n Player 1.x Windows 1.0.8 build 109488 or later\r\n Player 1.x Linux not affected\r\n\r\n ACE 2.x Windows not affected\r\n ACE 1.x Windows 1.0.7 build 108880 or later\r\n\r\n Server 1.x Windows 1.0.7 build 108231 or later\r\n Server 1.x Linux not affected\r\n\r\n Fusion 1.x Mac OS/X not affected\r\n\r\n ESXi 3.5 ESXi not affected\r\n\r\n ESX any ESX not affected\r\n\r\n d. Update to Freetype\r\n\r\n FreeType 2.3.6 resolves an integer overflow vulnerability and other\r\n vulnerabilities that can allow malicious users to run arbitrary code\r\n or might cause a denial-of-service after reading a maliciously\r\n crafted file. This release updates FreeType to 2.3.7.\r\n\r\n The Common Vulnerabilities and Exposures Project (cve.mitre.com)\r\n has assigned the names CVE-2008-1806, CVE-2008-1807, and\r\n CVE-2008-1808 to the issues resolved in Freetype 2.3.6.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n Workstation 6.x Windows not affected\r\n Workstation 6.x Linux 6.0.5 build 109488 or later\r\n Workstation 5.x Windows not affected\r\n Workstation 5.x Linux 5.5.8 build 108000 or later\r\n\r\n Player 2.x Windows not affected\r\n Player 2.x Linux 2.0.5 build 109488 or later\r\n Player 1.x Windows not affected\r\n Player 1.x Linux 1.0.8 build 108000 or later\r\n\r\n ACE 2.x Windows not affected\r\n ACE 1.x Windows not affected\r\n\r\n Server 1.x Windows not affected\r\n Server 1.x Linux 1.0.7 build 108231 or later\r\n\r\n Fusion 1.x Mac OS/X affected, patch pending\r\n\r\n ESXi 3.5 ESXi not affected\r\n\r\n ESX 3.5 ESX not affected\r\n ESX 3.0.3 ESX not affected\r\n ESX 3.0.2 ESX not affected\r\n ESX 3.0.1 ESX not affected\r\n ESX 2.5.5 ESX affected, patch pending\r\n ESX 2.5.4 ESX affected, patch pending\r\n\r\n e. Update to Cairo\r\n\r\n Cairo 1.4.12 resolves an integer overflow vulnerability that can\r\n allow malicious users to run arbitrary code or might cause a\r\n denial-of-service after reading a maliciously crafted PNG file.\r\n This release updates Cairo to 1.4.14.\r\n\r\n The Common Vulnerabilities and Exposures (cve.mitre.com) has\r\n assigned the name CVE-2007-5503 to this issue.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n Workstation 6.x Windows not affected\r\n Workstation 6.x Linux 6.0.5 build 109488 or later\r\n Workstation 5.x Windows not affected\r\n Workstation 5.x Linux not affected\r\n\r\n Player 2.x Windows not affected\r\n Player 2.x Linux 2.0.5 build 109488 or later\r\n Player 1.x Windows not affected\r\n Player 1.x Linux not affected\r\n\r\n ACE 2.x Windows not affected\r\n ACE 1.x Windows not affected\r\n\r\n Server 1.x Windows not affected\r\n Server 1.x Linux not affected\r\n\r\n Fusion 1.x Mac OS/X affected, patch pending\r\n\r\n ESXi 3.5 ESXi not affected\r\n\r\n ESX any ESX not affected\r\n\r\n f. VMware Consolidated Backup(VCB) command-line utilities may expose\r\n sensitive information\r\n\r\n VMware Consolidated Backup command-line utilities accept the user\r\n password through the -p command-line option. Users logged into the\r\n service console could gain access to the username and password used\r\n by VCB command-line utilities when such commands are running.\r\n\r\n This patch resolves this issue by providing an alternative way of\r\n passing the password used by VCB command-line utilities.\r\n\r\n The following options are recommended for passing the password:\r\n\r\n 1. The password is specified in /etc/backuptools.conf\r\n (PASSWORD=xxxxx), and -p is not used in the command line.\r\n /etc/backuptools.conf file permissions are read/write only\r\n for root.\r\n\r\n 2. No password is specified in /etc/backuptools.conf and the\r\n -p option is not used in the command line. The user will be\r\n prompted to enter a password.\r\n\r\n ESX is not affected unless you use VCB.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2008-2101 to this issue.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= ===================\r\n VirtualCenter any Windows not affected\r\n\r\n hosted * any any not affected\r\n\r\n ESXi 3.5 ESXi not affected\r\n\r\n ESX 3.5 ESX ESX350-200806203-UG\r\n ESX 3.0.3 ESX ESX303-200808403-SG\r\n ESX 3.0.2 ESX ESX-1004824\r\n ESX 3.0.1 ESX ESX-1004823\r\n ESX 2.5.5 ESX not affected\r\n ESX 2.5.4 ESX not affected\r\n\r\n * hosted products are VMware Workstation, Player, ACE, Server, Fusion\r\n\r\n g. Third Party Library libpng Updated to 1.2.29\r\n\r\n Several flaws were discovered in the way third party library\r\n libpng handled various PNG image chunks. An attacker could\r\n create a carefully crafted PNG image file in such a way that\r\n it causes an application linked with libpng to crash when the\r\n file is manipulated.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2007-5269 to this issue.\r\n\r\n NOTE: There are multiple patches required to remediate the issue.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= ===================\r\n VirtualCenter any Windows not affected\r\n\r\n hosted * any any not affected\r\n\r\n ESXi 3.5 ESXi affected, patch pending\r\n\r\n ESX 3.5 ESX affected, patch pending\r\n ESX 3.0.3 ESX ESX303-200808404-SG\r\n ESX303-200808403-SG\r\n ESX 3.0.2 ESX ESX-1005109 ESX-1005114 ESX-1005113\r\n ESX 3.0.1 ESX ESX-1005112 ESX-1005108 ESX-1005111\r\n ESX 2.5.5 ESX affected, patch pending\r\n ESX 2.5.4 ESX affected, patch pending\r\n\r\n * hosted products are VMware Workstation, Player, ACE, Server, Fusion\r\n\r\n\r\n II ESX Service Console rpm updates\r\n\r\n a. update to bind\r\n\r\n This update upgrades the service console rpms for bind-utils and\r\n bind-lib to version 9.2.4-22.el3.\r\n\r\n Version 9.2.4.-22.el3 addresses the recently discovered\r\n vulnerability in the BIND software used for Domain Name\r\n resolution (DNS). VMware doesn't install all the BIND packages\r\n on ESX Server and is not vulnerable by default to the reported\r\n vulnerability. Of the BIND packages, VMware only ships bind-util\r\n and bind-lib in the service console and these components by\r\n themselves cannot be used to setup a DNS server. Bind-lib and\r\n bind-util are used in client DNS applications like nsupdate,\r\n nslookup, etc.\r\n\r\n VMware explicitly discourages installing applications like BIND\r\n on the service console. In case the customer has installed BIND,\r\n and the DNS server is configured to support recursive queries,\r\n their ESX Server system is affected and they should replace BIND\r\n with a patched version.\r\n\r\n Note: ESX Server will use the DNS server on the network it is\r\n on, so it is important to patch that DNS server.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2008-1447 to this issue.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= ===================\r\n VirtualCenter any Windows not affected\r\n\r\n hosted * any any not affected\r\n\r\n ESXi 3.5 ESXi not affected\r\n\r\n ESX 3.5 ESX patch pending\r\n ESX 3.0.3 ESX ESX303-200808406-SG\r\n ESX 3.0.2 ESX ESX-1006356\r\n ESX 3.0.1 ESX ESX-1005117\r\n ESX 2.5.5 ESX patch pending\r\n ESX 2.5.4 ESX patch pending\r\n\r\n * hosted products are VMware Workstation, Player, ACE, Server, Fusion\r\n\r\n4. Solution\r\n\r\n Please review the patch/release notes for your product and version\r\n and verify the md5sum of your downloaded file.\r\n\r\n VMware Workstation 6.0.5\r\n ------------------------\r\n http://www.vmware.com/download/ws/\r\n Release notes:\r\n http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html\r\n\r\n Windows binary\r\n md5sum: 46b4c54f0493f59f52ac6c2965296859\r\n\r\n RPM Installation file for 32-bit Linux\r\n md5sum: 49ebfbd05d146ecc43262622ab746f03\r\n\r\n tar Installation file for 32-bit Linux\r\n md5sum: 14ac93bffeee72528629d4caecc5ef37\r\n\r\n RPM Installation file for 64-bit Linux\r\n md5sum: 0a856f1a1a31ba3c4b08bcf85d97ccf6\r\n\r\n tar Installation file for 64-bit Linux\r\n md5sum: 3b459254069d663e9873a661bc97cf6c\r\n\r\n VMware Workstation 5.5.8\r\n ------------------------\r\n http://www.vmware.com/download/ws/ws5.html\r\n Release notes:\r\n http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html\r\n\r\n Windows binary:\r\n md5sum: 745c3250e5254eaf6e65fcfc4172070f\r\n\r\n Compressed Tar archive for 32-bit Linux\r\n md5sum: 65a454749d15d4863401619d7ff5566e\r\n\r\n Linux RPM version for 32-bit Linux\r\n md5sum: d80adc73b1500bdb0cb24d1b0733bcff\r\n\r\n\r\n VMware Player 2.0.5 and 1.0.8\r\n -----------------------------\r\n http://www.vmware.com/download/player/\r\n Release notes Player 1.x:\r\n http://www.vmware.com/support/player/doc/releasenotes_player.html\r\n Release notes Player 2.0\r\n http://www.vmware.com/support/player2/doc/releasenotes_player2.html\r\n\r\n 2.0.5 Windows binary\r\n md5sum: 60265438047259b23ff82fdfe737f969\r\n\r\n VMware Player 2.0.5 for Linux (.rpm)\r\n md5sum: 3bc81e203e947e6ca5b55b3f33443d34\r\n\r\n VMware Player 2.0.5 for Linux (.tar)\r\n md5sum: f499603d790edc5aa355e45b9c5eae01\r\n\r\n VMware Player 2.0.5 - 64-bit (.rpm)\r\n md5sum: 85bc2f11d06c362feeff1a64ee5a6834\r\n\r\n VMware Player 2.0.5 - 64-bit (.tar)\r\n md5sum: b74460bb961e88817884c7e2c0f30215\r\n\r\n 1.0.8 Windows binary\r\n md5sum: e5f927304925297a7d869f74b7b9b053\r\n\r\n Player 1.0.8 for Linux (.rpm)\r\n md5sum: a13fdb8d72b661cefd24e7dcf6e2a990\r\n\r\n Player 1.0.8 for Linux (.tar)\r\n md5sum: 99fbe861253eec5308d8c47938e8ad1e\r\n\r\n\r\n VMware ACE 2.0.5\r\n ----------------\r\n http://www.vmware.com/download/ace/\r\n Release notes 2.0:\r\n http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html\r\n\r\n ACE Manager Server Virtual Appliance\r\n Virtual Appliance for the ACE Management Server\r\n md5sum: 41e7349f3b6568dffa23055bb629208d\r\n\r\n ACE for Window 32-bit and 64-bit\r\n Main installation file for Windows 32-bit and 64-bit host (ACE Option\r\n Page key required for enabling ACE authoring)\r\n md5sum:46b4c54f0493f59f52ac6c2965296859\r\n\r\n ACE Management Server for Windows\r\n ACE Management Server installation file for Windows\r\n md5sum:33a015c4b236329bcb7e12c82271c417\r\n\r\n ACE Management Server for Red Hat Enterprise Linux 4\r\n ACE Management Server installation file for Red Hat Enterprise Linux 4\r\n md5sum:dc3bd89fd2285f41ed42f8b28cd5535f\r\n\r\n ACE Management Server for SUSE Enterprise Linux 9\r\n ACE Management Server installation file for SUSE Enterprise Linux 9\r\n md5sum:2add6a4fc97e1400fb2f94274ce0dce0\r\n\r\n VMware ACE 1.0.7\r\n ----------------\r\n http://www.vmware.com/download/ace/\r\n Release notes:\r\n http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html\r\n md5sum: 42d806cddb8e9f905722aeac19740f33\r\n\r\n VMware Server 1.0.7\r\n -------------------\r\n http://www.vmware.com/download/server/\r\n Release notes:\r\n http://www.vmware.com/support/server/doc/releasenotes_server.html\r\n\r\n VMware Server for Windows 32-bit and 64-bit\r\n md5sum: 2e2ee5ebe08ae48eac5e661cad01acf6\r\n\r\n VMware Server Windows client package\r\n md5sum: ce7d906a5a8de37cbc20db4332de1adb\r\n\r\n VMware Server for Linux\r\n md5sum: 04f201122b16222cd58fc81ca814ff8c\r\n\r\n VMware Server for Linux rpm\r\n md5sum: 6bae706df040c35851823bc087597d8d\r\n\r\n Management Interface\r\n md5sum: e67489bd2f23bcd4a323d19df4e903e8\r\n\r\n VMware Server Linux client package\r\n md5sum: 99f1107302111ffd3f766194a33d492b\r\n\r\n ESX\r\n ---\r\n ESX 3.5.0 patch ESX350-200806203-UG (VCB)\r\n http://download3.vmware.com/software/esx/ESX350-200806203-UG.zip\r\n md5sum: 3bd512dc8aa2b276f7cfd19080d193c9\r\n http://kb.vmware.com/kb/1005896\r\n\r\n ESX 3.0.3 patch ESX303-200808403-SG (libpng)\r\n http://download3.vmware.com/software/vi/ESX303-200808403-SG.zip\r\n md5sum: 5f1e75631e53c0e9e013acdbe657cfc7\r\n http://kb.vmware.com/kb/1006034\r\n\r\n ESX 3.0.3 patch ESX303-200808404-SG (libpng)\r\n http://download3.vmware.com/software/vi/ESX303-200808404-SG.zip\r\n md5sum: 65468a5b6ba105cfde1dd444d77b2df4\r\n http://kb.vmware.com/kb/1006035\r\n\r\n ESX 3.0.3 patch ESX303-200808406-SG (bind)\r\n http://download3.vmware.com/software/vi/ESX303-200808406-SG.zip\r\n md5sum: a11273e8d430e5784071caff673995f4\r\n http://kb.vmware.com/kb/1006357\r\n\r\n ESX 3.0.3 patch (VCB)\r\n\r\n ESX 3.0.2 patch ESX-1005109 (libpng)\r\n http://download3.vmware.com/software/vi/ESX-1005109.tgz\r\n md5sum: 456d74d94317f852024aed5d3852be09\r\n http://kb.vmware.com/kb/1005109\r\n\r\n ESX 3.0.2 patch ESX-1005113 (libpng)\r\n http://download3.vmware.com/software/vi/ESX-1005113.tgz\r\n md5sum: 5d604f2bfd90585b9c8679f5fc8c31b7\r\n http://kb.vmware.com/kb/1005113\r\n\r\n ESX 3.0.2 patch ESX-1005114 (libpng)\r\n http://download3.vmware.com/software/vi/ESX-1005114.tgz\r\n md5sum: 3b6d33b334f0020131580fdd8f9b5365\r\n http://kb.vmware.com/kb/1005114\r\n\r\n ESX 3.0.2 patch ESX-1004824 (VCB)\r\n http://download3.vmware.com/software/vi/ESX-1004824.tgz\r\n md5sum: c72b0132c9f5d7b4cb1b9e47748a9c5b\r\n http://kb.vmware.com/kb/1004824\r\n\r\n ESX 3.0.2 patch ESX-1006356 (bind)\r\n http://download3.vmware.com/software/vi/ESX-1006356.tgz\r\n md5sum: f0bc9d0b641954145df3986cdb1c2bab\r\n http://kb.vmware.com/kb/1006356\r\n\r\n ESX 3.0.1 patch ESX-1005111 (libpng)\r\n http://download3.vmware.com/software/vi/ESX-1005111.tgz\r\n md5sum: 60e1be9b41070b3531c06f9a0595e24c\r\n http://kb.vmware.com/kb/1005111\r\n\r\n ESX 3.0.1 patch ESX-1005112 (libpng)\r\n http://download3.vmware.com/software/vi/ESX-1005112.tgz\r\n md5sum: ad645cef0f9fa18bb648ba5a37074732\r\n http://kb.vmware.com/kb/1005112\r\n\r\n ESX 3.0.1 patch ESX-1005108 (libpng)\r\n http://download3.vmware.com/software/vi/ESX-1005108.tgz\r\n md5sum: aabc873d978f023c929ccd9a54588ea5\r\n http://kb.vmware.com/kb/1005108\r\n\r\n ESX 3.0.1 patch ESX-1004823 (VCB)\r\n http://download3.vmware.com/software/vi/ESX-1004823.tgz\r\n md5sum: 5ff2e8ce50c18afca76fb16c28415a59\r\n http://kb.vmware.com/kb/1004823\r\n\r\n ESX 3.0.1 patch ESX-1005117 (bind)\r\n http://download3.vmware.com/software/vi/ESX-1005117.tgz\r\n md5sum: 5271ecc6e36fb6f1fdf372e57891aa33\r\n http://kb.vmware.com/kb/1005117\r\n\r\n\r\n5. References\r\n\r\n CVE numbers\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2101\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3691\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3692\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3693\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3694\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3695\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5438\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3696\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3697\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3698\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1806\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1807\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1808\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5503\r\n\r\n- ------------------------------------------------------------------------\r\n6. Change log\r\n\r\n2008-08-29 VMSA-2008-0014\r\ninitial release\r\n\r\n- ------------------------------------------------------------------------\r\n7. Contact\r\n\r\nE-mail list for product security notifications and announcements:\r\nhttp://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce\r\n\r\nThis Security Advisory is posted to the following lists:\r\n\r\n * security-announce at lists.vmware.com\r\n * bugtraq at securityfocus.com\r\n * full-disclosure at lists.grok.org.uk\r\n\r\nE-mail: security at vmware.com\r\nPGP key at: http://kb.vmware.com/kb/1055\r\n\r\nVMware Security Center\r\nhttp://www.vmware.com/security\r\n\r\nVMware security response policy\r\nhttp://www.vmware.com/support/policies/security_response.html\r\n\r\nGeneral support life cycle policy\r\nhttp://www.vmware.com/support/policies/eos.html\r\n\r\nVMware Infrastructure support life cycle policy\r\nhttp://www.vmware.com/support/policies/eos_vi.html\r\n\r\nCopyright 2008 VMware Inc. All rights reserved.\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.7 (GNU/Linux)\r\n\r\niD8DBQFIuI98S2KysvBH1xkRCJp7AJ9Mq0+CEdoQRLzPLSRbv5OLqXqUHACfUSRt\r\nbZpHL8qHcNwAiTVz6P3+W6E=\r\n=PQ58\r\n-----END PGP SIGNATURE-----", "modified": "2008-09-02T00:00:00", "published": "2008-09-02T00:00:00", "id": "SECURITYVULNS:DOC:20435", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20435", "title": "VMSA-2008-0014 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues.", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
