Date: Fri, 25 Jun 1999 19:18:35 -0700 From: Jason R. Rhoads To: BUGTRAQ@netspace.org Subject: VMware Security Alert "On June 22nd, 1999, VMware, Inc. was notified of a security problem with VMware for Linux 1.0.1. This security hole is also present in all previous versions of VMware for Linux. The security hole has been fixed in VMware for Linux 1.0.2 released today. The security hole allows a buffer overrun attack against VMware for Linux to result in unprivileged root access to a machine An updated version of VMware for Linux which fixes this problem is available now, see below. As far as we know, this breach has never been used for malicious purposes, or caused any harm to customer installations. VMware, Inc. apologizes for the inconvenience to our users." http://www.vmware.com/news/security.html ----------------------------------------------------------------------------- VMware Security Alert Date: June 25th, 1999 On June 22nd, 1999, VMware, Inc. was notified of a security problem with VMware for Linux 1.0.1. This security hole is also present in all previous versions of VMware for Linux. The security hole has been fixed in VMware for Linux 1.0.2 released today. The security hole allows a buffer overrun attack against VMware for Linux to result in unprivileged root access to a machine. An updated version of VMware for Linux which fixes this problem is available now, see below. As far as we know, this breach has never been used for malicious purposes, or caused any harm to customer installations. VMware, Inc. apologizes for the inconvenience to our users. Vulnerable Systems The security hole allows an attack to occur during VMware startup, but before a virtual machine is powered on. Guest operating systems themselves are unlikely to be affected by these buffer overflow attacks. Systems most vulnerable to this attack are multi-user Linux systems that have VMware installed. A malicious user with access to an account on the system could exploit the hole. Stand alone single-user machines are not at high risk from this security hole. This hole does not allow direct network based 'worm' style attacks against VMware. This security hole was discovered by Asylum Security, a division of CyberSpace 2000, a professional computer security response team. VMware has taken immediate action in response to this event. VMware for Linux 1.0.2 was made available for download on June 25th, 1999 on our web site and mirror sites. The shipment of CD-ROMs has been suspended and the inventory discarded. Customers who have purchased VMware for have been notified by electronic mail, VMware has also posted security alerts to newsgroups at news.vmware.com. Affected VMware Releases This security hole is present in VMware for Linux 1.0.1 and all previous versions, including the beta versions (build-106, build-135, build-152) and the experimental version (build-179). VMware recommends that users replace beta and experimental versions with VMware for Linux 1.0.2. An updated VMware for Linux experimental release with fixes for this security hole will be made available in the near future. How to Close this Security Hole The security hole can be closed by simply upgrading to VMware for Linux version 1.0.2: 1.Download VMware for Linux 1.0.2 from one of our mirror sites 2.Untar the distribution. tar zxvf vmware-1.0.2.tar.gz 3.Change directory to vmware-install cd vmware-install 4.As root, install VMware for Linux su ./install.pl You will first be asked whether you want to upgrade VMware for Linux. Simply answer yes at this point and then follow any installer instructions. NOTE: It is not possible to resolve this security problem by removing suid (Set User ID) root privileges from the VMware executable. VMware must be suid root to run correctly. Reporting Security Issues VMware is committed to addressing security issues and providing customers with information on how they can protect themselves. If you identify what you believe may be a security issue with a VMware product, please send an email to security@vmware.com. We will work to appropriately address and communicate the issue. Notification of Security Alerts When VMware becomes aware of a security issue that significantly affects our products, we will take action to notify affected customers. Typically this notification will be in the form of a security bulletin explaining the issue, and where possible a response to the problem. These bulletins will both be emailed to affected customers and posted on our web site and newsgroups at news.vmware.com. ----------------------------------------------------------------------------- Date: Sat, 26 Jun 1999 17:33:22 -0400 From: Don To: BUGTRAQ@netspace.org Subject: VMWare Advisory - buffer overflows This advisory was made on 06/21/99 and was to be released on 06/28/99 (or after a fix was released). We would like to recognize the VMware staff and their responsiveness to the bug reports. Last night, customers who purchased their product received notices to upgrade to VMware v1.0.2. For more information on the VMware bugs, visit: http://www.vmware.com/news/security.html http://www.cyberspace2000.com/security/advisories -Don Sausa ----------[asylum security]------------ id: #99021, team director e-mail: don@cyberspace2000.com web: http://cyberspace2000.com/security --------------------------------------- Team Asylum Security Copyright (c) 1999 By CyberSpace 2000 http://www.cyberspace2000.com/security Source: Seth L. [seth@cyberspace2000.com] Advisory Date: 06/21/99 Release Date: 06/28/99 [ Final Revision: 06/25/99 ] Affected -------- VMware v1.0.1 and earlier for Linux. Product Description ------------------- VMware v1.0.1 is a software product by VMware, Inc. that creates a virtual machine in which you can install multiple operating systems without repartitioning or formatting your hard drive. Vulnerability Summary --------------------- Team Asylum has found multiple buffer overflows existing in VMware v1.0.1 for Linux. Earlier versions also have the same buffer overflows. VMware Inc. has been notified of these overflows and they have released VMware v1.0.2 as a fix. Any local user can exploit these overflows to gain root access. Fix --- All users are encouraged to upgrade to VMware v1.0.2. You may download it directly off http://www.vmware.com. Special Thanks -------------- Special thanks to VMware staff for responding quickly to our bug reports. Within 3 days, they have managed to fix the overflows, as well as stop the physical distribution of their v1.0.1 product. All customers who have purchased VMware have been notified as of 06/25/99 12:00 midnight (PST) about the new VMware v1.0.2 version.