Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Security Response to BugTraq 330184: Local User on Linux Host Can Gain Escalated Privileges (1039)

Details

Advisories for a VMware Workstation and GSX Server vulnerability have been posted to the BugTraq mailing list (http://www.securityfocus.com/archive/1/330184) and submitted to CERT.

What is the extent of the vulnerability? What protective actions should I take? What is VMware's response?

Solution

The following products have a vulnerability that can allow a user of the host system to start an arbitrary program with root privileges:

  • VMware GSX Server 2.5.1 (for Linux systems) build 4968 and earlier releases
  • VMware Workstation 4.0 (for Linux systems) and earlier releases


By manipulating the VMware GSX Server or VMware Workstation environment variables, a program such as a shell session with root privileges could be started when a virtual machine is launched. The user would then have full access to the host.

VMware strongly urges customers running GSX Server and Workstation (for Linux systems) to upgrade as soon as possible.

Customers running any version of VMware GSX Server or Workstation (for Windows operating systems) are not subject to this vulnerability.

To correct the vulnerability in VMware Workstation 4.0, VMware has released the following:

  • Workstation 4.0.1 (for Linux systems)


To correct the vulnerability in VMware Workstation 3.2.1, VMware has released the following:

  • Workstation 3.2.1 patch 1 (for Linux systems)


To correct the vulnerability in GSX Server 2.5.1, VMware has released the following:

  • GSX Server 2.5.1 patch 1 (for Linux systems)


GSX Server 2.5.1 patch 1 (for Linux systems)

VMware GSX Server customers with support services are entitled to download and install this patched version. VMware strongly urges customers running GSX Server (for Linux systems) to upgrade as soon as possible.

VMware GSX Server customers with support services are entitled to download and install this patched version from
http://www.vmware.com/vmwarestore/newstore/download.jsp?ProductCode=GSX-LX-ESD

This is available now.

Upgrade instructions are at http://www.vmware.com/support/gsx25/doc/upgrade_gsx.html.

VMware Workstation 4.0.1

VMware Workstation customers, if covered under the VMware Workstation Product Upgrade Policy as described at
http://www.vmware.com/vmwarestore/pricing.html
are entitled to download and install this updated version from
http://www.vmware.com/vmwarestore/newstore/download.jsp?ProductCode=WKST4-LX-ESD

This is available now.

Upgrade instructions are at http://www.vmware.com/support/ws4/doc/ws40_upgrade.html.

VMware Workstation 3.2.1 patch 1

VMware Workstation customers, if covered under the VMware Workstation Product Upgrade Policy as described at
http://www.vmware.com/vmwarestore/pricing.html
are entitled to download and install this updated version from
http://www.vmware.com/download/download_archive_3x.html

This is available now.

Upgrade instructions are at http://www.vmware.com/support/ws3/doc/upgrade_ws.html.

Note: If you received an alert for this advisory that was signed with a PGP key, the key for verification is available at:
http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1055

Keywords

URLZ; alertz; 1039

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 0 Ratings
Actions
KB: