Tag Archives: VMware

Pwn2Own 2017 Contest Announced (Tenth Anniversary)

=======================
Update: 19th March 2017:
=======================
A more recent blog post discusses the results of the 2017 Pwn2Own contest.

Thank you.

=======================
Original Post:
=======================
With the month of March not too far away, I’m looking forward to the annual Pwn2Own contest taking place in Vancouver, Canada. Regular readers of this blog will know of the benefits it brings and why I look forward to it each year.

This year sees the return of Adobe Reader to the competition; a good decision due to the large numbers of vulnerabilities still being patched. I applaud the decision of Mozilla Firefox returning too since a zero day (defined) exploit was seen in recent times. It’s also in the top 3 in terms of usage. With a 64 bit version now available it should increase usage/competitiveness even further.

The full list of products that will be in the competition is here.

Just some of the interesting new additions are Ubuntu, Microsoft Hyper-V and Microsoft Office applications, which have never been present before. With vulnerabilities being patched routinely for all three of categories (especially for Microsoft Office), their inclusion should help us all when vulnerabilities are exploited and the researchers rewarded for their excellent work.

With the rise of malware for Apple Mac OS X and Linux it’s great to see them both in the contest this year. Previously only Mac OS was present.

Since the contest is celebrating its 10th anniversary it’s great to see other additions such as the Apache web servers and Ubuntu servers too. I often see servers installed and patched very little, if at all. This leads to situations where servers continue to have vulnerabilities long after they have been patched (more on that in this blog post). As for web servers, cross site scripting and CSRF remain consistent threats.

With extra points awarded for root access (defined) for Mac OS X or System level (defined) access for Windows this year’s contest is bigger than ever. With the more vulnerabilities that are found by the researchers the more they are awarded and the more everyone benefits by the vulnerabilities being responsibly disclosed (defined) to their vendors.

I will write another post when the results of this year’s contest are available and will discuss any highlights and how they will benefit us as users of these products.

Thank you.

VMware Security Updates Address Potential Man-in-the-Middle Attack

In the latter half of last week VMware released security updates for the following products:

  • vCenter Server v6.0 (prior to 6.0 U2)
  • vCenter Server 5.5 U3a – U3c
  • vCloud Director version 5.5.5 for Windows
  • vRealize Automation Identity Appliance version 6.2.4 for Linux
  • Client Integration Plugin for Apple Mac OS X and Windows

These updates resolve a potential man-in-the-middle-attack (MiTM)(defined) that is caused by an error in how the VMware Client Integration Plugin handles session content. This issue was assigned the CVE number (defined) CVE-2016-2076

Why Should This Issue Be Considered Important?
If an attacker were to successfully exploit this issue it may lead to the disclosure of the information within the client session between the server (as a result of the man-in-the-middle-attack). This issue could also result in the session between the client and the server becoming hijacked if the user of the vSphere Web Client were to visit a malicious website.

How Can I Protect Myself From This Issue?
VMware have released updates to resolve this issue within the affected products. Please refer to VMware’s security advisory to download the necessary updates.

Please note that both the server side (namely (i.e. vCenter Server, vCloud Director, and vRealize Automation Identity Appliance) and client side devices (i.e. Client Integration Plugin (CIP) of the vSphere Web Client) that communicate during a session must be separately updated to protect against this issue.

A step by install checklist to perform these updates for the affected products is also provided in the above mentioned advisory.

Thank you.

VMware Security Updates Address Cross-site scripting (XSS) Issues

In the middle of last week VMware made available security updates for the following products:

  • VMware vRealize Automation 6.2.4
  • VMware vRealize Business Advanced and Enterprise 8.2.5

These updates address a cross-site scripting (XSS) issue (defined) in each of these products. These issues were assigned separate CVE numbers (defined). These vulnerabilities were responsibly disclosed (defined) by Lukasz Plonka and Alvaro Trigo Martin de Vidales of Deloitte Spain (respectively) to VMware.

Why Should These Issues Be Considered Important?

If an attacker were to successfully exploit this issue it may lead to the compromise of the client’s workstation being used to access these products. Further details or severity of this compromise are not provided by VMware.

How Can I Protect Myself From These Issues?
VMware have released updates to resolve this issue within the affected products. Please refer to VMware’s security advisory to download the necessary updates.

Thank you.

glibc Security Vulnerability Patched

In late February security researchers announced the discovery of a critical a security vulnerability in the GNU C library (glibc). This is the same library in which the Ghost vulnerability was found last year.

Why Should This Issue Be Considered Important?
This issue is a stack based buffer overflow (defined) vulnerability of critical severity that affects a large number of Linux systems e.g.:

  • RedHat Enterprise Linux 6 (glibc version 2.12)
  • RedHat Enterprise Linux 7 (glibc version 2.17)
  • Debian squeeze (glibc version 2.11)
  • Debian wheezy (glibc version 2.13)
  • Debian Jessie (glibc version 2.19)

A complete list is available from this US-CERT vulnerability note.

As with the Ghost vulnerability the getaddrinfo() function (defined) is the source of the vulnerability. This newer vulnerability could allow an attacker to gain control over vulnerable systems as they connect to a DNS server under the control of an attacker.

Google researchers in their responsible disclosure (defined) of this vulnerability state that this flaw can exploited using sudo, curl and ssh (among others). Man-in-the-middle attacks (defined) and attacker controlled domain names are also mentioned as a means of exploiting this vulnerability within Google’s security advisory.

Since this is a stack based buffer overflow this overflows can be triggered using oversized UDP (defined) or TCP (defined) responses (larger than 2048 bytes) which are then immediately followed by a response which overflows the stack.

The above overflow could (for instance) be triggered by an attacker by having the target system perform a DNS (defined) lookup for a website domain under the control of the attacker. Further technical details exploiting this flaw are available from this message located on the glibc project mailing list.

Mitigating factors for this vulnerability include ASLR (defined), Moreover an option to use until you can apply the necessary security patch is limiting the response sizes accepted by the DNS resolver locally to 1024 bytes thus preventing the stack be based buffer overflows. Further mitigations are mentioned by Google (see the heading: Issue Summary) in their security advisory and by the glibc developers in their patch announcement for this vulnerability. A further defence in-depth (defined)(PDF) mitigation is provided by SANS Institute’s Johannes B. Ullrich in this forum thread.

How Can I Protect Myself from This Issue?

If your Linux device is found to be vulnerable continue to check for updates until one becomes available that resolves this issue. You can check for updates for your Linux device by using the Package Manager bundled with your Linux distribution (see this link (Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux).

Specific information for some of the affected versions of Linux are provided below:

RedHat also highlights the need to patch/update containers (defined e.g. Docker containers) as well as verifying the fixes are installed across the containers running within large organizations.

Once the update is installed you will need to restart/reboot the Linux device to have the update take effect.

Update: 20th March 2016:
The glibc vulnerability affected VMware’s ESXi version 5.5 and 6.0 products (among the other products listed in this post). In order to address these issues, please refer to VMware’s security advisory to download the necessary updates.

Thank you.

=======================
Aside:
What is a library (when used in the context of computing)?
The general concept of a code library is defined here, only Windows systems use DLLs (defined) and so are not relevant for this discussion of Linux systems.
=======================

VMware Security Updates Address Elevation of Privilege Vulnerability

In the second half of last week VMware released security updates for the following products:

  • VMware ESXi 6.0 without patch ESXi600-201512102-SG
  • VMware ESXi 5.5 without patch ESXi550-201512102-SG
  • VMware ESXi 5.1 without patch ESXi510-201510102-SG
  • VMware ESXi 5.0 without patch ESXi500-201510102-SG
  • VMware Workstation prior to 11.1.2
  • VMware Player prior to 7.1.2
  • VMware Fusion prior to 7.1.2

These updates address elevation of privilege (the concept is defined here) security issue which has been assigned 1x CVE number, (defined). This vulnerability was responsibly disclosed (defined) by Dmitry Janushkevich from the Secunia Research Team to VMware.

Why Should This Issue Be Considered Important?
Since multiple VMware products have this vulnerability which could allow an attacker to escalate their level of privilege/access within the guest operating system (namely one or more of your virtual machines) this issue should be patched as soon as possible. The issue is due to memory corruption vulnerability within the kernel (defined) of the VMware Tools “Shared Folders” HGFS feature.

How Can I Protect Myself From This Issue?
VMware have released updates to resolve this issue within the affected products. Please refer to VMware’s security advisory to download the necessary updates.

Thank you.

VMware Security Updates Address Information Disclosure Vulnerability

In the middle of last week VMware issued security updates for the following products:

VMware vCenter Server
VMware vCloud Director
VMware Horizon View

These updates address 1x information disclosure security vulnerability (CVE, defined). This vulnerability was responsibly disclosed (defined) by security researcher Matthias Kaiser from Code White.

Why Should This Issue Be Considered Important?
Since multiple VMware products have this vulnerability which could be used to leak the contents of sensitive files on your network, this issue should be patched as soon as possible.

This issue occurs since the XML (defined) parser (a program that analyzes data in a structured manner in order to create meaning from it) contained within Apache Flex BlazeDS 4.7.0 (and earlier) when passed a specifically crafted request parameter (a value to be placed into a program before it carries out a task) could be used to access the contents of a file on your network.

An example of the path (a means of locating/looking up a file starting from the root (beginning) of a file system and progressing towards the desired file) to such a file is shown on the final line of the first code snippet (paragraph) with the title “Disclosing /etc/passwd or other targeted files” of this article from OWASP.

Where etc/passwd is the password file of a Linux/Unix system that stores hashed (defined) user account credentials. Such an attack is called an XML External Entity (XXE) attack (defined). Most importantly, Code White within a blog post discussing this issue describe the issue as easy for an attacker to exploit.

How Can I Protect Myself From This Issue?
VMware have released updates to resolve this issue within the affected products. Please refer to VMware’s security advisory to download the necessary updates.

OWASP also list best practices to avoid XXE attacks in general with examples for many popular programming languages.

Thank you.

Important Security Updates Available for Adobe, VMware and Wireshark Products

Earlier this week Adobe made available security updates for Adobe Photoshop CC (resolves 4 CVEs) and Adobe Bridge CC (3 CVEs resolved, shares the same CVE identifiers fixed in the Photoshop update). These updates are installed simply by checking for updates within the affected applications (please see the above linked Security Bulletins for more details).

VMware released security updates for VMware Fusion, VMware Horizon clients, VMware Player, and VMware Workstation last week resolving 7 CVEs. This week further updates for VMware Fusion, VMware Player and VMware Workstation were also made available. The second set of Fusion and Workstation updates each resolve 8 CVEs, the Player update does not mention CVEs but likely includes fixes too (since Player and Workstation mostly share the same code base). The Fusion and Workstation updates include updated versions of the OpenSSL library (updating to version 1.0.1m to resolve all 8 CVEs previously mentioned). Please follow the steps mentioned within the in-product update messages or download the updates using the appropriate links within the release notes linked to above. The updates for Fusion, Player and Workstation from this week also include the fixes that were issued last week.

In addition, yesterday Wireshark released updates (version 1.12.6) that include fixes for software bugs and security issues (2 CVEs resolved). For Linux distributions updates can be obtained using the operating systems standard package manager (if the latest version is not installed automatically you can instead compile the source code). For Mac OS X and Windows, the updates are available within the downloads section of the Wireshark website.

Update: 12th July 2015: VMware have released a further security advisory for VMware Player, Workstation and Horizon View Clients. Older versions of these applications were mainly affected while some newer versions already received the appropriate updates as previously detailed above. Please check this new advisory and apply any updates that you may not yet have installed.

If you have not encountered the term CVEs before, please see the first short aside within this blog post for an explanation.

If you use any of the above mentioned products, please install the appropriate updates when you can. If these products are installed on critical production systems or systems that contain your critical data, please back up your data before installing these updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.