Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: VMware Advisories and Patches - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
VMware Advisories and Patches

VMware released the following new and updated security advisories on October 4th:

 - VMSA-2008-0016 (new advisory)
  http://www.vmware.com/security/advisories/VMSA-2008-0016.html
  http://lists.vmware.com/pipermail/security-announce/2008/000037.html

 - VMSA-2008-0014.2 (updated advisory)
  http://www.vmware.com/security/advisories/VMSA-2008-0014.html 
  http://lists.vmware.com/pipermail/security-announce/2008/000038.html

These advisories list security issues that have been fixed in the following releases:

- VirtualCenter 2.5 Update 3 released on 10/3/08
- patches for ESXi and ESX 3.5 released on 10/3/08
- patches for ESX 3.0.1, 3.0.2, 3.0.3 released on 9/30/08
- new versions of VMware Workstation, Player, ACE, Server released on 7/28/08

The corresponding new blog entry is linked from http://www.vmware.com/security/

Please contact security@vmware.com if you have any questions.

Marcus H. Sachs
Director, SANS Internet Storm Center

Marcus

301 Posts
ISC Handler
from http://blogs.vmware.com/security/2008/10/new-and-updated.html

"One of the fixed security issues is a privilege escalation on certain 64-bit guest operating systems, CVE-2008-4279. It allows an attacker with a login account on a guest operating system to elevate their privileges on that system. The flaw doesn't allow for compromising the host system."

Two things, the link on CVE-2008-4279 is broken - not a SANS issue but it makes one wonder about control processes at VMWare especially in light of the last sentence in the excerpt above.

If a user can elevate their privileges on a guest system, they can gain access to areas they are normally prevented from reaching, thereby effecting a compromise. How can the blog statement possibly be true? It is if you consider insider exploitation to not be a compromise. An inappropriate view, but again, it makes one wonder about the thought processes over at VMWare.
Alan

57 Posts
Sorry about the broken links. I just fixed them. Also, two of the VMware links are not live yet. I just made a note of that.
Marcus

301 Posts
ISC Handler
Sorry about the broken links. I just fixed them. Also, two of the VMware links are not live yet. I just made a note of that.
Marcus

301 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!