VMware Advisories and Patches
VMware released the following new and updated security advisories on October 4th:
- VMSA-2008-0016 (new advisory)
http://www.vmware.com/security/advisories/VMSA-2008-0016.html (link is not live yet)
http://lists.vmware.com/pipermail/security-announce/2008/000037.html
- VMSA-2008-0014.2 (updated advisory)
http://www.vmware.com/security/advisories/VMSA-2008-0014.html
http://lists.vmware.com/pipermail/security-announce/2008/000038.html
These advisories list security issues that have been fixed in the following releases:
- VirtualCenter 2.5 Update 3 released on 10/3/08
- patches for ESXi and ESX 3.5 released on 10/3/08
- patches for ESX 3.0.1, 3.0.2, 3.0.3 released on 9/30/08
- new versions of VMware Workstation, Player, ACE, Server released on 7/28/08
The corresponding new blog entry is linked from http://www.vmware.com/security/
Please contact security@vmware.com if you have any questions.
Marcus H. Sachs
Director, SANS Internet Storm Center
Comments
"One of the fixed security issues is a privilege escalation on certain 64-bit guest operating systems, CVE-2008-4279. It allows an attacker with a login account on a guest operating system to elevate their privileges on that system. The flaw doesn't allow for compromising the host system."
Two things, the link on CVE-2008-4279 is broken - not a SANS issue but it makes one wonder about control processes at VMWare especially in light of the last sentence in the excerpt above.
If a user can elevate their privileges on a guest system, they can gain access to areas they are normally prevented from reaching, thereby effecting a compromise. How can the blog statement possibly be true? It is if you consider insider exploitation to not be a compromise. An inappropriate view, but again, it makes one wonder about the thought processes over at VMWare.
Alan
Oct 4th 2008
1 decade ago
Marcus
Oct 4th 2008
1 decade ago
Marcus
Oct 4th 2008
1 decade ago