New ESXi security patch VMSA-2012-0011 released on June 14th

Today VMware released a new security update for ESX(i), from version 3.5 to 5.0, as well as other hosted virtualization platforms like Workstation/Player, and updated several older security advisories.
If you’re not signed up on the VMware security mailing list, you should do so at http://lists.vmware.com/mailman/listinfo/security-announce in order to get all the latest information on updates and advisories.

The new advisory is available here. The new patch VMware ESXi 5.0, Patch ESXi500-201206401-SG: Updates esx-base fixes two critical security issues:

VMware Host Checkpoint File Memory Corruption
Certain input data is not properly validated when loading checkpoint files. This might allow an attacker with the ability to load a specially crafted checkpoint file to execute arbitrary code on the host.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-3288 to this issue.
The following workarounds and mitigating controls might be available to remove the potential for exploiting the issue and to reduce the exposure that the issue poses.

Workaround: None identified.

Mitigation: Do not import virtual machines from untrusted sources.

VMware Virtual Machine Remote Device Denial of Service
A device (for example CD-ROM or keyboard) that is available to a virtual machine while physically connected to a system that does not run the virtual machine is referred to as a remote device. Traffic coming from remote virtual devices is incorrectly handled. This might allow an attacker who is capable of manipulating the traffic from a remote virtual device to crash the virtual machine.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-3289 to this issue.
The following workarounds and mitigating controls might be available to remove the potential for exploiting the issue and to reduce the exposure that the issue poses.

Workaround: None identified.

Mitigation:
Users need administrative privileges on the virtual machine in order to attach remote devices.
Do not attach untrusted remote devices to a virtual machine.

This is already the 2nd critical security-related patch after VMware ESXi 5.0, Patch ESXi500-201205401-SG which was released a month ago following a leak of VMware source code which raised some public attention. I really hope we’re done with this soon.

Here are the updated advisories based on older patches:
– http://www.vmware.com/security/advisories/VMSA-2012-0005.html

– http://www.vmware.com/security/advisories/VMSA-2012-0006.html

– http://www.vmware.com/security/advisories/VMSA-2012-0007.html

– http://www.vmware.com/security/advisories/VMSA-2012-0009.html

The actual changes of these advisories can be found in section 6. Change log. There doesn’t seem to be any really important information though.

And last but not least, if you’re running ESX on HP, while you’re installing this you might as well update your HP-Extensions while you’re at it.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s