VMware updates resolve critical security issues (VMSA-2008-0005)

VMware updates resolve critical security issues (VMSA-2008-0005)
Last month we announced a critical VMware vulnerability where it was possible for a program running in a guest virtual machine to gain access to the host's complete file system and create or modify executable files in sensitive locations (that is, a true escape). The problem was due to a directory traversal vulnerability on the VMware share folder capabilities on Windows. VMware has announced a new security advisory that includes a set of updates for VMware Workstation, Player, Server, ACE, and Fusion (VMSA-2008-0005), resolving this vulnerability plus a few other relevant security issues: a. Host to guest shared folder (HGFS) traversal vulnerability (CVE-2008-0923) b. Insecure named pipes (CVE-2008-1361, CVE-2008-1362) c. Updated libpng library to version 1.2.22 to address various security vulnerabilities (CVE-2007-5269) d. Updated OpenSSL library to address various security vulnerabilities (CVE-2006-2940, CVE-2006-2937, CVE-2006-4343, CVE-2006-4339) e. VIX API default setting changed to a more secure default value f. Windows 2000 based hosted products privilege escalation vulnerability (CVE-2007-5618) g. DHCP denial of service vulnerability (CVE-2008-1364) h. Local Privilege Escalation on Windows based platforms by Hijacking VMware VMX configuration file (CVE-2008-1363) i. Virtual Machine Communication Interface (VMCI) memory corruption resulting in denial of service (CVE-2008-1340) The latest versions are: VMware Workstation 6.0.3 VMware Workstation 5.5.6 VMware Player 2.0.3 VMware Player 1.0.6 VMware ACE 2.0.3 VMware ACE 1.0.5 VMware Server 1.0.5 VMware Fusion 1.1.1 Update as soon as possible! -- Raul Siles www.raulsiles.com	Raul Siles 152 Posts Mar 19th 2008
Subscribe	Mar 19th 2008 1 decade ago