Risks
Advisories
Browse
or
or
VMware Security Advisory - VMware vSphere security updates for the authentication service and third party libraries (VMSA-2013-0001.2)
- -----------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2013-0001.2
Synopsis:    VMware vSphere security updates for the authentication
             service and third party libraries
Issue date:  2013-01-31
Updated on:  2013-02-21
CVE numbers: --- vSphere authentication ---
             CVE-2013-1405
             --- libxml2 ---
             CVE-2011-3102, CVE-2012-2807
             --- bind (service console) ---
             CVE-2012-4244
             --- xslt (service console) ---
             CVE-2011-1202, CVE-2011-3970, CVE-2012-2825,
             CVE-2012-2870, CVE-2012-2871
- -----------------------------------------------------------------------

1. Summary

   VMware vSphere security updates for the authentication service and
   third party libraries

2. Relevant releases

   - vCenter Server 4.1 without Update 3a
   - vCenter Server 4.0 without Update 4b
   - Virtual Center 2.5 without Update 6c

   - vSphere Client 4.1 without Update 3a
   - vSphere Client 4.0 without Update 4b
   - VI-Client 2.5 without Update 6c

   - ESXi 4.1 without patch ESXi410-201301401-SG
   - ESXi 4.0 without patches ESXi400-201302401-SG and
     ESXi400-201302403-SG
   - ESXi 3.5 without patches ESXe350-201302401-I-SG and
     ESXe350-201302403-C-SG

   - ESX 4.1 without patches ESX410-201301401-SG, ESX410-201301402-SG,
     ESX410-201301403-SG, and ESX410-201301405-SG
   - ESX 4.0 without patch ESX400-201302401-SG
   - ESX 3.5 without patch ESX350-201302401-SG

3. Problem Description

   a. VMware vSphere client-side authentication memory corruption
      vulnerability

      VMware vCenter Server, vSphere Client, and ESX contain a
      vulnerability in the handling of the management authentication
      protocol. To exploit this vulnerability, an attacker must
      convince either vCenter Server, vSphere Client or ESX to
      interact with a malicious server as a client. Exploitation of
      the issue may lead to code execution on the client system.

      To reduce the likelihood of exploitation, vSphere components
      should be deployed on an isolated management network.

      The Common Vulnerabilities and Exposures Project (cve.mitre.org)
      has assigned the name CVE-2013-1405 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware            Product     Running     Replace with/
        Product           Version     on          Apply Patch
        ==============    =======     =======     =================
        vCenter Server    5.1         Windows     not affected
        vCenter Server    5.0         Windows     not affected
        vCenter Server    4.1         Windows     4.1 Update 3a
        vCenter Server    4.0         Windows     4.0 Update 4b
        VirtualCenter     2.5         Windows     2.5 Update 6c

        vSphere Client    5.1         Windows     not affected
        vSphere Client    5.0         Windows     not affected
        vSphere Client    4.1         Windows     4.1 Update 3a **
        vSphere Client    4.0         Windows     4.0 Update 4b **
        VI-Client         2.5         Windows     2.5 Update 6c **

        hosted *          any         any         not affected

        ESXi              5.1         ESXi        not affected
        ESXi              5.0         ESXi        not affected
        ESXi              4.1         ESXi        ESXi410-201301401-SG
        ESXi              4.0         ESXi        ESXi400-201302401-SG
                                                  ESXi400-201302403-SG (vSphere
client)
        ESXi              3.5         ESXi        ESXe350-201302401-I-SG
                                                  ESXe350-201302403-C-SG (vSphere
client)

        ESX               4.1         ESX         ESX410-201301401-SG
        ESX               4.0         ESX         ESX400-201302401-SG (includes
vSphere client)
        ESX               3.5         ESX         ESX350-201302401-SG (includes
vSphere client)

        * hosted products are VMware Workstation, Player, ACE, Fusion.

        ** To remediate CVE-2013-1405, customers must apply updates to
           all components of the authentication service.  First,
           customers should update vCenter Server or ESXi/ESX as
           appropriate to ensure that the updated vSphere Client is
           downloaded.  Then, the vSphere client can be updated using
           any one of the following methods:

           - Run the installer that ships with vCenter Server
           - Follow the client installation link on the vCenter Server
             welcome page
           - Follow the client installation link on the ESXi/ESX
             Server welcome page

   b. Update to ESX/ESXi libxml2 userworld and service console

      The ESX/ESXi userworld libxml2 library has been updated to
      resolve multiple security issues. Also, the ESX service console
      libxml2 packages are updated to the following versions:

        libxml2-2.6.26-2.1.15.el5_8.5
        libxml2-python-2.6.26-2.1.15.el5_8.5

      These updates fix multiple security issues. The Common
      Vulnerabilities and Exposures project (cve.mitre.org) has
      assigned the names CVE-2011-3102 and CVE-2012-2807 to these
      issues.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product   Running  Replace with/
        Product         Version   on       Apply Patch
        ==============  ========  =======  =================
        ESXi            5.1       ESXi     patch pending
        ESXi            5.0       ESXi     patch pending
        ESXi            4.1       ESXi     ESXi410-201301401-SG
        ESXi            4.0       ESXi     no patch planned
        ESXi            3.5       ESXi     no patch planned

        ESX             4.1       ESX      ESX410-201301405-SG
        ESX             4.0       ESX      no patch planned
        ESX             3.5       ESX      no patch planned

   c. Update to ESX service console bind packages

      The ESX service console bind packages are updated to the
      following versions:

        bind-libs-9.3.6-20.P1.el5_8.2
        bind-utils-9.3.6-20.P1.el5_8.2

      These updates fix a security issue. The Common Vulnerabilities
      and Exposures project (cve.mitre.org) has assigned the name
      CVE-2012-4244 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product   Running  Replace with/
        Product         Version   on       Apply Patch
        ==============  ========  =======  =================
        ESXi            any       ESXi     not applicable

        ESX             4.1       ESX      ESX410-201301402-SG
        ESX             4.0       ESX      patch pending
        ESX             3.5       ESX      not applicable

   d. Update to ESX service console libxslt package

      The ESX service console libxslt package is updated to version
      libxslt-1.1.17-4.el5_8.3 to resolve multiple security issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2011-1202, CVE-2011-3970,
      CVE-2012-2825, CVE-2012-2870, and CVE-2012-2871 to these issues.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

        VMware          Product   Running  Replace with/
        Product         Version   on       Apply Patch
        ==============  ========  =======  =================
        ESXi            any       ESXi     not applicable

        ESX             4.1       ESX      ESX410-201301403-SG
        ESX             4.0       ESX      not affected
        ESX             3.5       ESX      not applicable

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   vCenter Server 4.1 Update 3a
   ---------------------------
   The download for vCenter Server includes vSphere Update Manager,
   vSphere Client, and vCenter Orchestrator.

   Download link:
  
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_
1

   Release Notes:
   https://www.vmware.com/support/vsphere4/doc/vsp_vc41_u3a_rel_notes.html

   vCenter Server 4.0 Update 4b
   ---------------------------
   The download for vCenter Server includes vSphere Update Manager,
   vSphere Client, and vCenter Orchestrator.

   Download link:
  
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_
0

   Release Notes:
   https://www.vmware.com/support/vsphere4/doc/vsp_vc40_u4b_rel_notes.html

   VirtualCenter 2.5 Update U6c
   ---------------------------
   Download link:
  
http://downloads.vmware.com/d/info/datacenter_downloads/vmware_infrastructure_3/3_5

   Release Notes:
   https://www.vmware.com/support/vi3/doc/vi3_vc25u6c_rel_notes.html

   ESXi and ESX
   ------------
   https://my.vmware.com/web/vmware/downloads

   ESXi 4.1
   --------
   File: ESXi410-201301001.zip
   md5sum: 3543d3f16a1f1b1369dcdb5c25fa7106
   sha1sum: cced12e87838a3b037c9ec99d8490809c61fe883
   http://kb.vmware.com/kb/2041332
   ESXi410-201301001 contains ESXi410-201301401-SG

   ESXi 4.0
   --------
   File: ESXi400-201302001.zip
   md5sum: 03dc9246239dd449bf21a122e7b1bcf3
   sha1sum: 276346a186c068c1fdbf19e1b753b8a2dbc8c89c
   http://kb.vmware.com/kb/2041344
   ESXi400-201302001 contains ESXi400-201302401-SG and
   ESXi400-201302403-SG

   ESXi 3.5
   --------
   File: ESXe350-201302401-O-SG.zip
   md5sum: a2c5f49bc865625b3796c41c202d1696
   sha1sum: 12d25011d9940ea40d45f77a4e5bcc7e7b0c0cee
   http://kb.vmware.com/kb/2042543
   ESXi350-201302401-O-SG contains ESXe350-201302401-I-SG and
   ESXe350-201302403-C-SG

   ESX 4.1
   -------
   File: ESX410-201301001.zip
   md5sum: 0219dbcbcc6fafe8bf33695682c8658d
   sha1sum: 2eab9d56ac81f7d2d00c15b155bd93c36b0e03c3
   http://kb.vmware.com/kb/2041331
   ESX410-201301001 contains ESX410-201301401-SG, ESX410-201301402-SG,
   ESX410-201301403-SG, and ESX410-201301405-SG

   ESX 4.0
   -------
   File: ESX400-201302001.zip
   md5sum: 2a883e737c3cde990fe4792c64c32fcd
   sha1sum: 92c3b13ab3fdee73c335d5e8b41159f546def199
   http://kb.vmware.com/kb/2041343
   ESX400-201302001 contains ESX400-201302401-SG

   ESX 3.5
   -------
   File: ESX350-201302401-SG.zip
   md5sum: e703cb0bc3e1eaa8932a96ea96f34a00
   sha1sum: 91dcf1bf7194a289652d0904dd7af8bce0a1d2dd
   http://kb.vmware.com/kb/2042541
   ESX350-201302401-SG contains ESX350-201302401-SG

5. References

   --- vSphere authentication ---
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1405
   --- libxml2 ---
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3102
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2807
   --- bind (service console) ---
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4244
   --- xslt (service console) ---
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1202
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3970
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2825
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2870
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2871

- -----------------------------------------------------------------------

6. Change log

   2013-01-31 VMSA-2013-0001
   Initial security advisory in conjunction with the release of
   vCenter 4.1 Update 3a and ESX 4.1 patches on 2013-01-31.

   2013-02-07 VMSA-2013-0001.1
   Updated security advisory to include vCenter 4.0 Update 4b and
   patches for ESX 4.0 released on 2013-02-07.

   2013-02-21 VMSA-2013-0001.2
   Updated security advisory to include vCenter 2.5 Update U6c and
   patches for ESX 3.5 released on 2013-02-21.

- -----------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

     * security-announce at lists.vmware.com
     * bugtraq at securityfocus.com
     * full-disclosure at lists.grok.org.uk

   E-mail:  security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html

   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html

   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html




Spotlight

Whitepaper: Zero Trust approach to network security

Posted on 20 November 2014.  |  Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Nov 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //