Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages

2008.01.13
Credit: Alexander Sotirov
Risk: High
Local: No
Remote: Yes
CVE: CVE-2007-5360
CWE: CWE-119


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2008-0001 Synopsis: Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages Issue date: 2008-01-07 Updated on: 2008-01-07 CVE numbers: CVE-2007-5360 CVE-2007-5398 CVE-2007-4572 CVE-2007-5191 CVE-2007-5116 CVE-2007-3108 CVE-2007-5135 - ------------------------------------------------------------------- 1. Summary: Updated service console patches 2. Relevant releases: ESX Server 3.0.2 without patches ESX-1002969, ESX-1002970, ESX-1002971, ESX-1002975, ESX-1002976 ESX Server 3.0.1 without patches ESX-1002962, ESX-1002963, ESX-1002964, ESX-1002968, ESX-1002972, ESX-1003176 3. Problem description: I OpenPegasus PAM Authentication Buffer Overflow Alexander Sotirov from VMware Security Research discovered a buffer overflow vulnerability in the OpenPegasus Management server. This flaw could be exploited by a malicious remote user on the service console network to gain root access to the service console. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5360 to this issue. RPM Updated: pegasus-2.5-552927 VM Shutdown: No Host Reboot: No Note: ESX Server 3.5 and ESX Server 3i are not affected by this issue. ESX Server 3.0.2 http://download3.vmware.com/software/vi/ESX-1002970.tgz md5sum: d19115e965d486e72100ce489efea707 http://kb.vmware.com/kb/1002970 ESX Server 3.0.1 http://download3.vmware.com/software/vi/ESX-1003176.tgz md5sum: 5674ca0dcfac90726014cc316444996e http://kb.vmware.com/kb/1003176 ESX Server 2.5.x Users should remove the OpenPegasus CIM Management rpm. This component is disabled by default, and VMware recommends that you do not use this component of ESX Server 2.x. If you want to use the CIM functionality, upgrade to ESX Server 3.0.1 or a later release. Note: This vulnerability can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. II Service Console package security updates a. Updated Samba package An issue where attackers on the service console management network can cause a stack-based buffer overflow in the reply_netbios_packet function of nmbd in Samba. On systems where Samba is being used as a WINS server, exploiting this vulnerability can allow remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request. An issue where attackers on the service console management network can exploit a vulnerability that occurs when Samba is configured as a Primary or Backup Domain controller. The vulnerability allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5398 and CVE-2007-4572 to these issues. Note: By default Samba is not configured as a WINS server or a domain controller and ESX is not vulnerable unless the administrator has changed the default configuration. This vulnerability can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. RPM Updated: samba-3.0.9-1.3E.14.1vmw samba-client-3.0.9-1.3E.14.1vmw samba-common-3.0.9-1.3E.14.1vmw VM Shutdown: Yes Host Reboot: Yes ESX Server 3.5.0 is not affected by this issue ESX Server 3.0.2 http://download3.vmware.com/software/vi/ESX-1002975.tgz md5sum: 797a7494c2c4eb49629d3f94818df5dd http://kb.vmware.com/kb/1002975 ESX Server 3.0.1 http://download3.vmware.com/software/vi/ESX-1002968.tgz md5sum: 5106d90afaf77c3a0d8433487f937d06 http://kb.vmware.com/kb/1002968 ESX Server 2.5.5 download Upgrade Patch 3 ESX Server 2.5.4 download Upgrade Patch 14 b. Updated util-linux package The patch addresses an issue where the mount and umount utilities in util-linux call the setuid and setgid functions in the wrong order and do not check the return values, which could allow attackers to gain elevated privileges via helper application such as mount.nfs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5191 to this issue. RPM Updated: util-linux-2.11y-31.24vmw losetup-2.11y-31.24vmw mount -2.11y-31.24vmw VM Shutdown: Yes Host Reboot: Yes ESX Server 3.0.2 http://download3.vmware.com/software/vi/ESX-1002976.tgz md5sum: 0fe833c50c0ecb0ff9340d6674be2e43 http://kb.vmware.com/kb/1002976 ESX Server 3.0.1 http://download3.vmware.com/software/vi/ESX-1002972.tgz md5sum: 59ca4a43f330c5f0b7a55693aa952cdc http://kb.vmware.com/kb/1002972 c. Updated Perl package The update addresses an issue where the regular expression engine in Perl can be used to issue a specially crafted regular expression that allows the attacker to run arbitrary code with the permissions level of the current Perl user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5116 to this issue. RPM Updated: perl-5.8.0-97.EL3 VM Shutdown: Yes Host Reboot: Yes ESX Server 3.0.2 http://download3.vmware.com/software/vi/ESX-1002971.tgz md5sum: 337b09d9ae4b1694a045e216b69765e1 http://kb.vmware.com/kb/1002971 ESX Server 3.0.1 http://download3.vmware.com/software/vi/ESX-1002964.tgz md5sum: d47e26104bfd5e4018ae645638c94487 http://kb.vmware.com/kb/1002964 d. Updated OpenSSL package A flaw in the SSL_get_shared_ciphers() function can allow an attacker to cause a buffer overflow problem by sending ciphers to applications that use the function. A possible vulnerability that would allow a local attacker to obtain private RSA keys being used on a system using the OpenSSL package. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-3108, and CVE-2007-5135 to these issues. RPM Updated: openssl-0.9.7a-33.24 VM Shutdown: Yes Host Reboot: Yes ESX Server 3.0.2 http://download3.vmware.com/software/vi/ESX-1002969.tgz md5sum: 72fd28a9f9380158db149259fbdcaa3b http://kb.vmware.com/kb/1002969 ESX Server 3.0.1 http://download3.vmware.com/software/vi/ESX-1002962.tgz md5sum: a0727bdc2e1a6f00d5fe77430a6ee9d6 http://kb.vmware.com/kb/1002962 ESX Server 2.5.5 download Upgrade Patch 3 ESX Server 2.5.4 download Upgrade Patch 14 4. Solution: Please review the Patch notes for your product and version and verify the md5sum of your downloaded file. ESX Server 3.x Patches: http://www.vmware.com/download/vi/vi3_patches.html ESX Server 2.x Patches: http://www.vmware.com/download/esx/esx2_patches.html ESX Server 2.5.5 Upgrade Patch 3 http://download3.vmware.com/software/esx/esx-2.5.5-65742-upgrade.tar.gz md5sum: 9068250fdd604e8787ef40995a4638f9 http://www.vmware.com/support/esx25/doc/esx-255-200712-patch.html ESX Server 2.5.4 Upgrade Patch 14 http://download3.vmware.com/software/esx/esx-2.5.4-65752-upgrade.tar.gz md5sum: 24990b9207f882ccc91545b6fc90273d http://www.vmware.com/support/esx25/doc/esx-254-200712-patch.html 5. References: CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5360 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5398 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5116 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135 - ------------------------------------------------------------------- 6. Contact: E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce (at) lists.vmware (dot) com [email concealed] * bugtraq (at) securityfocus (dot) com [email concealed] * full-disclosure (at) lists.grok.org (dot) uk [email concealed] E-mail: security (at) vmware (dot) com [email concealed] Security web site http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2008 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHgtXJS2KysvBH1xkRCPnYAJoDMpdOmgs4e+JQ610SCjnKF99wpgCfcVO3 UCcAvs574f1LCZv+8lPQvrk= =Hzno -----END PGP SIGNATURE-----


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top