Tag Archives: VMware ESXi

July 2019 Update Summary

As predicted; earlier today Adobe and Microsoft made available their usual monthly security updates addressing 5 and 77 vulnerabilities (respectively) more formally known as CVEs (defined):

====================
Adobe Bridge CC: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Dreamweaver: 1x Priority 3 vulnerability resolved (Important severity)

Adobe Experience Manager: 3x Priority 2 vulnerabilities : 2x Important, 1x Moderate severity resolved

If you use any of these Adobe products, please apply the necessary updates as soon as possible.

====================
This month’s list of Known Issues from Microsoft is available within their monthly summary page and applies to all currently supported operating systems. Not all issues have workarounds at this time. Just like last month; Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows 8.1 and Windows Server 2012 R2 list known issues with McAfee products and should refer to the guidance linked to by Microsoft within the above linked to attempt to workaround these issues:

4493730                Servicing stack update for Windows Server 2008 SP2

4507434                Internet Explorer 11

4507435                Windows 10, version 1803

4507448                Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

4507449                Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)

4507450                Windows 10, version 1703

4507453                Windows 10, version 1903, Windows Server version 1903

4507455                Windows 10, version 1709

4507457                Windows 8.1, Windows Server 2012 R2 (Security-only update)

4507458                Windows 10

4507460                Windows 10 1607 and Windows Server 2016

4507462                Windows Server 2012 (Monthly Rollup)

4507464                Windows Server 2012 (Security-only update)

4507469                Windows 10, version 1809, Windows Server 2019

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================

Zero-day (defined) vulnerabilities:
CVE-2019-1132 – Win32k Elevation of Privilege Vulnerability

CVE-2019-0880 – Microsoft splwow64 Elevation of Privilege Vulnerability

====================
Critical
====================
CVE-2019-0785  Windows DHCP Server Remote Code Execution Vulnerability

CVE-2019-1072  Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability

CVE-2019-1056  Scripting Engine

CVE-2019-1106  Scripting Engine

CVE-2019-1092  Scripting Engine

CVE-2019-1103  Scripting Engine

CVE-2019-1107  Scripting Engine

CVE-2019-1062  Scripting Engine

CVE-2019-1004  Scripting Engine

CVE-2019-1001  Scripting Engine

CVE-2019-1063  Internet Explorer Memory Corruption Vulnerability

CVE-2019-1104  Microsoft Browser Memory Corruption Vulnerability

CVE-2019-1102  GDI+ Remote Code Execution Vulnerability

CVE-2019-1113  .NET Framework Remote Code Execution Vulnerability

Servicing Stack Update

====================

Please install the remaining updates at your earliest convenience.

As per standard best practice; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

I have provided further details of updates available for other commonly used applications below.

Thank you.

=======================
Mozilla Firefox
=======================
Today, Mozilla released Firefox 68.0 to address the following vulnerabilities and to introduce new features:

Firefox 68.0: Resolves 2x critical CVEs (defined), 3x high CVEs, 10x moderate and 4x low CVEs

Firefox 60.8 ESR (Extended Support Release): Resolves 1x critical CVE, 4x high CVEs and 5x moderate CVEs

Firefox now also includes cryptomining protection and fingerprinting protections and improved add-on security (my thanks to Softpedia for this information, more details on other security features are here).

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the above changes.

=======================
VMware ESXi
=======================
Earlier today VMware made available an update for ESXi version 6.5. Version 6.0 is unaffected and a patch for 6.7 is pending. This update resolves a denial of service vulnerability.

If you use VMware ESXi, please update when you can.

Thank you.

October 2018 Update Summary

Earlier today Microsoft resolved 49 vulnerabilities more formally known as CVEs (defined).

At the time of writing; there are known issues with the Windows 7 NIC being an issue again this month:

4459266 : Can be resolved by installed the Microsoft Exchange update with administrative (defined) privileges.

4462917 : No workaround at this time.

4462923 : Workaround available.

As always; further details are available in Microsoft’s update summary for October. Moreover, Adobe issued 4 updates today patching the following products:
Adobe Digital Editions (priority 3, resolves 4x critical and 5x important CVEs)

Adobe Experience Manager (priority 2. 3x important and 2x moderate CVEs)

Adobe Framemaker (priority 3, resolves 1x important CVE)

Adobe Technical Communications Suite (priority 3, resolves 1x important CVE)

Earlier this month Adobe released updates for Acrobat DC and Reader DC resolving 86 CVEs (47x critical and 39x important). These were in addition to the updates made available in September (which resolved 1x critical and 6 important CVEs).

As per standard practice if you use any of the above Adobe software, please update it as soon as possible especially in the case of Acrobat DC and Reader DC. No updates for Flash Player have been distributed so far this month.

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

2x vulnerabilities  affecting Microsoft Hyper-V (affects Windows 10, Windows 8.1 (including Windows RT 8.1) and Windows 7 along with their Server equivalents)(the links above provide details on both vulnerabilities)

Microsoft JET database (resolved by installing the latest cumulative update for your version of Windows: Windows 10; Windows 8.1 or Windows 7.

Microsoft Exchange Server 2016, 2013 and 2010

====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

=======================
Mozilla Firefox:
=======================
In early September Mozilla made available updated versions of Firefox:

Firefox 62.0.3: Resolves 2x critical CVEs (defined)

Firefox ESR 60.2.2 (Extended Support Release): Resolves 2x critical CVEs

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to resolve these security issues.

=======================
VMware
=======================
VMWare has issued 2 security advisories so far for October:

Security advisory 1 (addresses 1 critical vulnerability) in the following products:

  • AirWatch Console 9.1 to 9.7

Security advisory 2 (addresses 1 important vulnerability via a mitigation) in the following products:

  • ESXI
  • Fusion
  • Workstation Pro

If you use the above VMware products, please review the security advisories and apply the necessary updates/mitigations.

Vendors Respond to Spectre NG Vulnerabilities

====================
Update: 24th July 2018
====================
I have updated the list of vendor responses below to include further Red Hat versions and CentOS:

Red Hat Enterprise Linux 7:
https://access.redhat.com/errata/RHSA-2018:1629

CentOS 6:
https://lists.centos.org/pipermail/centos-announce/2018-July/022968.html

CentOS 7:
https://lists.centos.org/pipermail/centos-announce/2018-May/022843.html
====================

====================
Update: 19th June 2018
====================
Last Wednesday, the security news and troubleshooting website BleepingComputer published a table detailing the complete list of updates required to mitigate the Meltdown, Spectre and SpectreNG (also known as Spectre variant 4) vulnerabilities for all recent versions of Windows. This is very useful because I realise my previous blog post on Meltdown and Spectre was at times hard to follow (it has a lot of info within it).

As of Tuesday, 12th June Microsoft have released updates to address SpectreNG. While you can install these updates Microsoft have advised their security protections will not be enabled unless you choose to do so. This is due to the lower risk of SpectreNG and also given that enabling the security enhancements of these updates can lead to a performance penalty of up to 8% (as I detailed below).

Microsoft provide step by step advice and guidance if you wish to enable these updates within this security advisory. It is likely other OS vendors will take a similar approach e.g. Red Hat may also choose to distribute these updates but not enable them so as to work around the performance penalty.

For more information on the semi-related Intel Lazy Floating point vulnerability, please see my separate post.

Thank you.

====================
Original Post
====================
On Monday more details of these vulnerabilities were made available by affected vendors among them Red Hat, Google, Intel, IBM and Microsoft. There are two new vulnerabilities named:

Rogue System Register Read (Spectre Variant 3a) (CVE-2018-3640)

Speculative Store Bypass (SSB) (Spectre Variant 4) (CVE-2018-3639)

Why should these vulnerabilities be considered important?

Rogue System Register Read cannot be leveraged by an external attacker; they must instead log onto a vulnerable system and carry out further steps to exploit it. Once exploited the attacker may be able to obtain sensitive information by reading system parameters via side-channel analysis.

For Windows; successful exploitation of this vulnerability will bypass Kernel Address Space Layout Randomization (KASLR) protections. I have talked about ASLR (defined) before but provides this link more detail on kernel ASLR.

Google Project Zero’s Jann Horn and Microsoft’s Ken Johnson first reported Speculative Store Bypass. It can possibly be used by attacker externally (from the internet). I use the term “possibly” since the mitigations added to web browsers following Spectre variant 2 earlier this year will make it more difficult for an attacker to do so. Indeed, Intel rates the risk as “moderate.” This is a more serious vulnerability which may allow an attacker access to read privileged memory areas. An example would be a script running in one browser tab being able to read data from another browser tab.

Red Hat have made available a video more clearly explaining the Speculative Store Bypass (SSB) vulnerability.

How can I protect myself from these vulnerabilities?
At this time microcode updates are being developed by Red Hat, AMD, ARM, Intel, IBM and Microsoft. The affected products from many popular vendors are available from the following links. These vulnerabilities will not be addressed via software fixes but hardware fixes instead.

It is recommended to follow the best practice advice for these vulnerabilities as per the US-CERT namely:

1. Please refer to and monitor the links below for the updates from affected vendors.
2. Test these updates before deploying them widely
3. Ensure the performance impact (anticipated to be between 2 – 8%) is acceptable for the systems you manage/use.

These updates will ship with the mitigations disabled and if appropriate/acceptable for an affected system; the protection (along with its performance impact) can be enabled.

These updates are scheduled to be made available before the end of May. Cloud vendors (e.g. Amazon AWS, Microsoft Azure etc.) will also update their systems once the performance impact is determined and if deemed acceptable.

Thank you.

====================
AMD:
https://www.amd.com/en/corporate/security-updates

ARM:
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Cisco:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180521-cpusidechannel

IBM:
https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Intel:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

Microsoft (full impact yet to be determined):
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180013

Red Hat:
https://access.redhat.com/security/cve/cve-2018-3639

Oracle:
https://blogs.oracle.com/oraclesecurity/processor-vulnerabilities-cve-2018-3640-and-cve-2018-3639

SUSE:
https://www.suse.com/de-de/support/kb/doc/?id=7022937

Ubuntu:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4

VMware ESXI, Fusion/Fusion Pro, Workstation/Workstation Pro and vCenter Server:
https://www.vmware.com/security/advisories/VMSA-2018-0012.html

https://kb.vmware.com/s/article/54951

https://kb.vmware.com/s/article/55111
====================

December 2017 Update Summary

Earlier this month Microsoft closed out the year with a small number of security updates. They resolved 32 vulnerabilities. Further details are provided within Microsoft’s new Security Updates Guide.

Sorry for not posting this sooner; travelling for my job meant my time was much more limited.

No Known Issues were listed as occurring for this months update.

====================

Meanwhile Adobe also completed their yearly updates with a single update for Flash Player resolving a single priority 2 CVE (defined).

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For December Microsoft updates, I will prioritize the order of installation below:
====================
Critical severity:

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)

Important severity:

Windows RRAS (Routing and Remote Access) Service Remote Code Execution Vulnerability

====================

Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

=======================
VMware AirWatch Console and other VMware Products
=======================
A security advisory for VMware AirWatch Console to address a moderate security vulnerability was made available in December. A further security advisory to address 4 important vulnerabilities within the products listed below was also published:

  • ESXi
  • vCenter Server Appliance
  • Workstation
  • Fusion

=======================
Google Chrome:
=======================
An update for Google Chrome included 37 security fixes while a second update included 2 further fixes.

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the updates to take effect.
=======================

=======================
Apple security updates:
=======================
During the first half of December Apple made available security updates for the following products:

=======================

Apple tvOS 11.2 and 11.2.1

Apple iOS 11.2 and 11.2.1

Apple watchOS 4.2

Apple Safari 11.0.2

Apple macOS High Sierra 10.13.2, Sierra and El Capitan

Apple iTunes 12.7.2 for Windows

AirPort Base Station Firmware Update 7.6.9 and AirPort Base Station Firmware Update 7.7.9

Apple iCloud for Windows 7.2

=======================

Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here while the steps for updating the Apple Watch are available here. Further details of these updates are available on Apple’s dedicated security updates page.

For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

=======================
Mozilla Firefox and Firefox ESR
=======================
During December Mozilla released security updates for Firefox and Firefox ESR (Extended Support Release) raising their version numbers to 57.0.2 and 52.5.2 respectively.

  • Firefox 57.0.2 resolves 1 CVE
  • Firefox ESR 52.5.2 resolves 2 CVEs.

As always full details of the security issues resolved by these updates are available in the following links:

Firefox 57.0.2
Firefox 52.5.2

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve these security issues.

=======================
VideoLAN VLC:
=======================
In early December VideoLAN made available version 2.2.8 of VLC for Linux, Apple macOS  and Windows. It addresses 4 security vulnerabilities (3 of which were addressed in 2.2.7). If you use VLC, please update as soon as possible to address the above mentioned security vulnerabilities as well as the general software bugs that were resolved.

=======================
WinSCP
=======================
In mid-December; WinSCP version 5.11.3 was released upgrading it’s embedded OpenSSL version to 1.0.2n (which addresses 1x moderate and 1x low severity CVEs).

glibc Security Vulnerability Patched

In late February security researchers announced the discovery of a critical a security vulnerability in the GNU C library (glibc). This is the same library in which the Ghost vulnerability was found last year.

Why Should This Issue Be Considered Important?
This issue is a stack based buffer overflow (defined) vulnerability of critical severity that affects a large number of Linux systems e.g.:

  • RedHat Enterprise Linux 6 (glibc version 2.12)
  • RedHat Enterprise Linux 7 (glibc version 2.17)
  • Debian squeeze (glibc version 2.11)
  • Debian wheezy (glibc version 2.13)
  • Debian Jessie (glibc version 2.19)

A complete list is available from this US-CERT vulnerability note.

As with the Ghost vulnerability the getaddrinfo() function (defined) is the source of the vulnerability. This newer vulnerability could allow an attacker to gain control over vulnerable systems as they connect to a DNS server under the control of an attacker.

Google researchers in their responsible disclosure (defined) of this vulnerability state that this flaw can exploited using sudo, curl and ssh (among others). Man-in-the-middle attacks (defined) and attacker controlled domain names are also mentioned as a means of exploiting this vulnerability within Google’s security advisory.

Since this is a stack based buffer overflow this overflows can be triggered using oversized UDP (defined) or TCP (defined) responses (larger than 2048 bytes) which are then immediately followed by a response which overflows the stack.

The above overflow could (for instance) be triggered by an attacker by having the target system perform a DNS (defined) lookup for a website domain under the control of the attacker. Further technical details exploiting this flaw are available from this message located on the glibc project mailing list.

Mitigating factors for this vulnerability include ASLR (defined), Moreover an option to use until you can apply the necessary security patch is limiting the response sizes accepted by the DNS resolver locally to 1024 bytes thus preventing the stack be based buffer overflows. Further mitigations are mentioned by Google (see the heading: Issue Summary) in their security advisory and by the glibc developers in their patch announcement for this vulnerability. A further defence in-depth (defined)(PDF) mitigation is provided by SANS Institute’s Johannes B. Ullrich in this forum thread.

How Can I Protect Myself from This Issue?

If your Linux device is found to be vulnerable continue to check for updates until one becomes available that resolves this issue. You can check for updates for your Linux device by using the Package Manager bundled with your Linux distribution (see this link (Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux).

Specific information for some of the affected versions of Linux are provided below:

RedHat also highlights the need to patch/update containers (defined e.g. Docker containers) as well as verifying the fixes are installed across the containers running within large organizations.

Once the update is installed you will need to restart/reboot the Linux device to have the update take effect.

Update: 20th March 2016:
The glibc vulnerability affected VMware’s ESXi version 5.5 and 6.0 products (among the other products listed in this post). In order to address these issues, please refer to VMware’s security advisory to download the necessary updates.

Thank you.

=======================
Aside:
What is a library (when used in the context of computing)?
The general concept of a code library is defined here, only Windows systems use DLLs (defined) and so are not relevant for this discussion of Linux systems.
=======================

VMware Security Updates Address Elevation of Privilege Vulnerability

In the second half of last week VMware released security updates for the following products:

  • VMware ESXi 6.0 without patch ESXi600-201512102-SG
  • VMware ESXi 5.5 without patch ESXi550-201512102-SG
  • VMware ESXi 5.1 without patch ESXi510-201510102-SG
  • VMware ESXi 5.0 without patch ESXi500-201510102-SG
  • VMware Workstation prior to 11.1.2
  • VMware Player prior to 7.1.2
  • VMware Fusion prior to 7.1.2

These updates address elevation of privilege (the concept is defined here) security issue which has been assigned 1x CVE number, (defined). This vulnerability was responsibly disclosed (defined) by Dmitry Janushkevich from the Secunia Research Team to VMware.

Why Should This Issue Be Considered Important?
Since multiple VMware products have this vulnerability which could allow an attacker to escalate their level of privilege/access within the guest operating system (namely one or more of your virtual machines) this issue should be patched as soon as possible. The issue is due to memory corruption vulnerability within the kernel (defined) of the VMware Tools “Shared Folders” HGFS feature.

How Can I Protect Myself From This Issue?
VMware have released updates to resolve this issue within the affected products. Please refer to VMware’s security advisory to download the necessary updates.

Thank you.