OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues

From: VMware Security team (securityvmware.com)
Date: Fri Apr 09 2010 - 04:28:34 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2010-0007
Synopsis: VMware hosted products, vCenter Server and ESX
                   patches resolve multiple security issues
Issue date: 2010-04-09
Updated on: 2010-04-09 (initial release of advisory)
CVE numbers: CVE-2010-1142 CVE-2010-1140 CVE-2009-2042
                   CVE-2009-1564 CVE-2009-1565 CVE-2009-3732
                   CVE-2009-3707 CVE-2010-1138 CVE-2010-1139
                   CVE-2010-1141
- -------------------------------------------------------------------------

1. Summary

   VMware hosted products, vCenter Server and ESX patches resolve
   multiple security issues.

2. Relevant releases

   VMware Workstation 7.0,
   VMware Workstation 6.5.3 and earlier,
   VMware Player 3.0,
   VMware Player 2.5.3 and earlier,
   VMware ACE 2.6,
   VMware ACE 2.5.3 and earlier,
   VMware Server 2.0.2 and earlier,
   VMware Fusion 3.0,
   VMware Fusion 2.0.6 and earlier,
   VMware VIX API for Windows 1.6.x,

   VMware ESXi 4.0 before patch ESXi400-201002402-BG

   VMware ESXi 3.5 before patch ESXe350-200912401-T-BG

   VMware ESX 4.0 without patches ESX400-201002401-BG,
                                  ESX400-200911223-UG

   VMware ESX 3.5 without patch ESX350-200912401-BG

   VMware ESX 3.0.3 without patch ESX303-201002203-UG

   VMware ESX 2.5.5 without Upgrade Patch 15.

   Notes:
   Effective May 2010, VMware's patch and update release program during
   Extended Support will be continued with the condition that all
   subsequent patch and update releases will be based on the latest
   baseline release version as of May 2010 (i.e. ESX 3.0.3 Update 1,
   ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section
   "End of Product Availability FAQs" at
   http://www.vmware.com/support/policies/lifecycle/vi/faq.html for
   details.

   Extended support for ESX 2.5.5 ends on 2010-06-15. Users should plan
   to upgrade to at least ESX 3.0.3 and preferably to the newest
   release available.

   Extended support for ESX 3.0.3 ends on 2011-12-10. Users should plan
   to upgrade to at least ESX 3.5 and preferably to the newest release
   available.

   End of General Support for VMware Workstation 6.x is 2011-04-27,
   users should plan to upgrade to the newest release available.

   End of General Support for VMware Server 2.0 is 2011-06-30, users
   should plan to upgrade to the newest release of either ESXi or
   VMware Player.

   Extended support for Virtual Center 2.0.2 is 2011-12-10, users
   should plan to upgrade to the newest release of vCenter Server.

3. Problem Description

 a. Windows-based VMware Tools Unsafe Library Loading vulnerability

    A vulnerability in the way VMware libraries are referenced allows
    for arbitrary code execution in the context of the logged on user.
    This vulnerability is present only on Windows Guest Operating
    Systems.

    In order for an attacker to exploit the vulnerability, the attacker
    would need to lure the user that is logged on a Windows Guest
    Operating System to click on the attacker's file on a network
    share. This file could be in any file format. The attacker will
    need to have the ability to host their malicious files on a
    network share.

    VMware would like to thank Jure Skofic and Mitja Kolsek of ACROS
    Security (http://www.acrossecurity.com) for reporting this issue
    to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-1141 to this issue.

    Steps needed to remediate this vulnerability:

    Guest systems on VMware Workstation, Player, ACE, Server, Fusion
     - Install the remediated version of Workstation, Player, ACE,
       Server and Fusion.
     - Upgrade tools in the virtual machine (virtual machine users
       will be prompted to upgrade).

    Guest systems on ESX 4.0, 3.5, 3.0.3, 2.5.5, ESXi 4.0, 3.5
     - Install the relevant patches (see below for patch identifiers)
     - Manually upgrade tools in the virtual machine (virtual machine
       users will not be prompted to upgrade). Note the VI Client will
       not show the VMware tools is out of date in the summary tab.
       Please see http://tinyurl.com/27mpjo page 80 for details.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available. See above for remediation
    details.

    VMware Product Running Replace with/
    Product Version on Apply Patch
    ============= ======== ======= =================
    VirtualCenter any Windows not affected

    Workstation 7.x any not affected
    Workstation 6.5.x any 6.5.4 build 246459 or later

    Player 3.x any not affected
    Player 2.5.x any 2.5.4 build 246459 or later

    ACE 2.6.x Windows not affected
    ACE 2.5.x Windows 2.5.4 build 246459 or later

    Server 2.x any 2.0.2 build 203138 or later

    Fusion 3.x Mac OS/X not affected
    Fusion 2.x Mac OS/X 2.0.6 build 246742 or later

    ESXi 4.0 ESXi ESXi400-201002402-BG
    ESXi 3.5 ESXi ESXe350-200912401-T-BG or later

    ESX 4.0 ESX ESX400-201002401-BG
    ESX 3.5 ESX ESX350-200912401-BG
    ESX 3.0.3 ESX ESX303-201002203-UG
    ESX 2.5.5 ESX Upgrade Patch 15

 b. Windows-based VMware Tools Arbitrary Code Execution vulnerability

    A vulnerability in the way VMware executables are loaded allows for
    arbitrary code execution in the context of the logged on user. This
    vulnerability is present only on Windows Guest Operating Systems.

    In order for an attacker to exploit the vulnerability, the attacker
    would need to be able to plant their malicious executable in a
    certain location on the Virtual Machine of the user. On most
    recent versions of Windows (XP, Vista) the attacker would need to
    have administrator privileges to plant the malicious executable in
    the right location.

    Steps needed to remediate this vulnerability: See section 3.a.

    VMware would like to thank Mitja Kolsek of ACROS Security
    (http://www.acrossecurity.com) for reporting this issue to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-1142 to this issue.

    Refer to the previous table in section 3.a for what action
    remediates the vulnerability (column 4) if a solution is
    available. See above for remediation details.

 c. Windows-based VMware Workstation and Player host privilege
    escalation

    A vulnerability in the USB service allows for a privilege
    escalation. A local attacker on the host of a Windows-based
    Operating System where VMware Workstation or VMware Player
    is installed could plant a malicious executable on the host and
    elevate their privileges.

    In order for an attacker to exploit the vulnerability, the attacker
    would need to be able to plant their malicious executable in a
    certain location on the host machine. On most recent versions of
    Windows (XP, Vista) the attacker would need to have administrator
    privileges to plant the malicious executable in the right location.

    VMware would like to thank Thierry Zoller for reporting this issue
    to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-1140 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware Product Running Replace with/
    Product Version on Apply Patch
    ============= ======== ======= =================
    VirtualCenter any Windows not affected

    Workstation 7.0 Windows 7.0.1 build 227600 or later
    Workstation 7.0 Linux not affected
    Workstation 6.5.x any not affected

    Player 3.0 Windows 3.0.1 build 227600 or later
    Player 3.0 Linux not affected
    Player 2.5.x any not affected

    Ace any any not affected

    Server 2.x any not affected

    Fusion any Mac OS/X not affected

    ESXi any ESXi not affected

    ESX any ESX not affected

 d. Third party library update for libpng to version 1.2.37

    The libpng libraries through 1.2.35 contain an uninitialized-
    memory-read bug that may have security implications.
    Specifically, 1-bit (2-color) interlaced images whose widths are
    not divisible by 8 may result in several uninitialized bits at the
    end of certain rows in certain interlace passes being returned to
    the user. An application that failed to mask these out-of-bounds
    pixels might display or process them, albeit presumably with benign
    results in most cases.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2009-2042 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware Product Running Replace with/
    Product Version on Apply Patch
    ============= ======== ======= =================
    VirtualCenter any Windows not applicable

    Workstation 7.0 any 7.0.1 build 227600 or later
    Workstation 6.5.x any 6.5.4 build 246459 or later

    Player 3.0 any 3.0.1 build 227600 or later
    Player 2.5.x any 2.5.4 build 246459 or later

    Ace 2.6 Windows 2.6.1 build 227600 or later
    Ace 2.5.x Windows 2.5.4 build 246459 or later

    Server 2.x any not being fixed at this time

    Fusion any any Mac OS/X not affected

    ESXi any ESXi not applicable

    ESX any ESX not applicable

 e. VMware VMnc Codec heap overflow vulnerabilities

    The VMware movie decoder contains the VMnc media codec that is
    required to play back movies recorded with VMware Workstation,
    VMware Player and VMware ACE, in any compatible media player. The
    movie decoder is installed as part of VMware Workstation, VMware
    Player and VMware ACE, or can be downloaded as a stand alone
    package.

    Vulnerabilities in the decoder allow for execution of arbitrary
    code with the privileges of the user running an application
    utilizing the vulnerable codec.

    For an attack to be successful the user must be tricked into
    visiting a malicious web page or opening a malicious video file on
    a system that has the vulnerable version of the VMnc codec installed.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the names CVE-2009-1564 and CVE-2009-1565 to these
    issues.

    VMware would like to thank iDefense, Sebastien Renaud of VUPEN
    Vulnerability Research Team (http://www.vupen.com) and Alin Rad Pop
    of Secunia Research for reporting these issues to us.

    To remediate the above issues either install the stand alone movie
    decoder or update your product using the table below.

    VMware Product Running Replace with/
    Product Version on Apply Patch
    ============= ======== ======= =================
    VirtualCenter any Windows not affected

    Movie Decoder any Windows 6.5.4 Build 246459 or later

    Workstation 7.x any not affected
    Workstation 6.5.x Windows 6.5.4 build 246459 or later
    Workstation 6.5.x Linux not affected

    Player 3.x any not affected
    Player 2.5.x Windows 2.5.4 build 246459 or later
    Player 2.5.x Linux not affected

    ACE any any not affected

    Server 2.x Window not being addressed at this time
    Server 2.x Linux not affected

    Fusion any Mac OS/X not affected

    ESXi any ESXi not affected

    ESX any ESX not affected

f. VMware Remote Console format string vulnerability

    VMware Remote Console (VMrc) contains a format string vulnerability.
    Exploitation of this issue may lead to arbitrary code execution on
    the system where VMrc is installed.

    For an attack to be successful, an attacker would need to trick the
    VMrc user into opening a malicious Web page or following a malicious
    URL. Code execution would be at the privilege level of the user.

    VMrc is present on a system if the VMrc browser plug-in has been
    installed. This plug-in is required when using the console feature in
    WebAccess. Installation of the plug-in follows after visiting the
    console tab in WebAccess and choosing "Install plug-in". The plug-
    in can only be installed on Internet Explorer and Firefox.

    Under the following two conditions your version of VMrc is likely
    to be affected:

    - the VMrc plug-in was obtained from vCenter 4.0 or from ESX 4.0
      without patch ESX400-200911223-UG and
    - VMrc is installed on a Windows-based system

    The following steps allow you to determine if you have an affected
    version of VMrc installed:

    - Locate the VMrc executable vmware-vmrc.exe on your Windows-based
      system
    - Right click and go to Properties
    - Go to the tab "Versions"
    - Click "File Version" in the "Item Name" window
    - If the "Value" window shows "e.x.p build-158248", the version of
      VMrc is affected

    Remediation of this issue on Windows-based systems requires the
    following steps (Linux-based systems are not affected):

    - Uninstall affected versions of VMrc from the systems where the
      VMrc plug-in has been installed (use the Windows Add/Remove
      Programs interface)
    - Install vCenter 4.0 Update 1 or install the ESX 4.0 patch
      ESX400-200911223-UG
    - Login into vCenter 4.0 Update 1 or ESX 4.0 with patch
      ESX400-200911223-UG using WebAccess on the system where the VMrc
      needs to be re-installed
    - Re-install VMrc by going to the console tab in WebAccess. The
      Console tab is selectable after selecting a virtual machine.

    Note: the VMrc plug-in for Firefox on Windows-based operating
    systems is no longer compatible after the above remediation steps.
    Users are advised to use the Internet Explorer VMrc plug-in.

    VMware would like to thank Alexey Sintsov from Digital Security
    Research Group for reporting this issue to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2009-3732 to this issue.

 g. Windows-based VMware authd remote denial of service

    A vulnerability in vmware-authd could cause a denial of service
    condition on Windows-based hosts. The denial of service is limited
    to a crash of authd.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2009-3707 to this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware Product Running Replace with/
    Product Version on Apply Patch
    ============= ======== ======= =================
    VirtualCenter any Windows not affected

    Workstation 7.0 Windows 7.0.1 build 227600 or later
    Workstation 7.0 Linux not affected
    Workstation 6.5.x Windows 6.5.4 build 246459 or later
    Workstation 6.5.x Linux not affected

    Player 3.0 Windows 3.0.1 build 227600 or later
    Player 3.x Linux not affected
    Player 2.5.x Windows 2.5.4 build 246459 or later
    Player 2.5.x Linux not affected

    Ace 2.6 Windows 2.6.1 build 227600 or later
    Ace 2.5.x Windows 2.5.4 build 246459 or later

    Server 2.x Windows not being addressed at this time
    Server 2.x Linux not affected

    Fusion any Mac OS/X not affected

    ESXi any any not affected

    ESX any any not affected

 h. Potential information leak via hosted networking stack

    A vulnerability in the virtual networking stack of VMware hosted
    products could allow host information disclosure.

    A guest operating system could send memory from the host vmware-vmx
    process to the virtual network adapter and potentially to the
    host's physical Ethernet wire.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2010-1138 to this issue.

    VMware would like to thank Johann MacDonagh for reporting this
    issue to us.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware Product Running Replace with/
    Product Version on Apply Patch
    ============= ======== ======= =================
    VirtualCenter any Windows not affected

    Workstation 7.0 any 7.0.1 build 227600 or later
    Workstation 6.5.x Windows 6.5.4 build 246459 or later
    Workstation 6.5.x Linux not affected

    Player 3.0 any 3.0.1 build 227600 or later
    Player 2.5.x Windows 2.5.4 build 246459 or later
    Player 2.5.x Linux not affected

    Ace 2.6 Windows 2.6.1 build 227600 or later
    Ace 2.5.x Windows 2.5.4 build 246459 or later

    Server 2.x any not being fixed at this time

    Fusion 3.0 Mac OS/X 3.0.1 build 232708 or later
    Fusion 2.x Mac OS/X 2.0.7 build 246742 or later

    ESXi any any not affected

    ESX any any not affected

 i. Linux-based vmrun format string vulnerability

    A format string vulnerability in vmrun could allow arbitrary code
    execution.

    If a vmrun command is issued and processes are listed, code could
    be executed in the context of the user listing the processes.

    The Common Vulnerabilities and Exposures Project (cve.mitre.org)
    has assigned the name CVE-2010-1139 to this issue.

    VMware would like to thank Thomas Toth-Steiner for reporting this
    issue to us.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware Product Running Replace with/
    Product Version on Apply Patch
    ============= ======== ======= =================
    VirtualCenter any Windows not affected

    VIX API any Windows not affected
    VIX API 1.6.x Linux upgrade to VIX API 1.7 or later
    VIX API 1.6.x Linux64 upgrade to VIX API 1.7 or later

    Workstation 7.x any not affected
    Workstation 6.5.x Windows not affected
    Workstation 6.5.x Linux 6.5.4 build 246459 or later

    Player 3.x any not affected
    Player 2.5.x Windows not affected
    Player 2.5.x Linux 2.5.4 build 246459 or later

    Ace any Windows not affected

    Server 2.x Windows not affected
    Server 2.x Linux not being fixed at this time

    Fusion 3.x Mac OS/X not affected
    Fusion 2.x Mac OS/X 2.0.7 build 246742 or later

    ESXi any any not affected

    ESX any any not affected

4. Solution

   Please review the patch/release notes for your product and version
   and verify the md5sum and/or the sha1sum of your downloaded file.

   VMware Workstation Movie Decoder stand alone 6.5.4
   --------------------------------------------------

http://download3.vmware.com/software/wkst/VMware-moviedecoder-6.5.4-246459.exe
   md5sum: ea2ac5907ae4c5c323147fe155443ab8
   sha1sum: 5ca8d1fd45f6a7a6f38019b259c3e836ee4e8f29

   VMware Workstation 7.0.1
   ------------------------
   For Windows

http://downloads.vmware.com/download/download.do?downloadGroup=WKST-701-WIN
   Release notes:
   http://downloads.vmware.com/support/ws7/doc/releasenotes_ws701.html

   Workstation for Windows 32-bit and 64-bit with VMware Tools
   md5sum: fc8502a748de3b8f94c5c9571c1f17d2
   sha1sum: 3de01b355b17363a92d80200ff5e7267b3bde206

   Workstation for Windows 32-bit and 64-bit without VMware Tools
   md5sum: 6a18ea3847cb727b03f7890f5643db79
   sha1sum: 260b019db4619b0d1d775e5c38cc46b6db250984

   For Linux
   http://downloads.vmware.com/download/download.do?downloadGroup=WKST-701-LX
   Release notes:
   http://downloads.vmware.com/support/ws7/doc/releasenotes_ws701.html

   Workstation for Linux 32-bit with VMware Tools
   md5sum: a896f7aaedde8799f21b52b89f5fc9ef
   sha1sum: f6d0789afa7927ca154973a071603a0bd098e697

   Workstation for Linux 32-bit without VMware Tools
   md5sum: 59ecd27bdf3f59be3b4df8f04d1b3874
   sha1sum: 22e1a475069fca5e8d2446bf14661fa6d894d34f

   Workstation for Linux 64-bit with VMware Tools
   md5sum: 808682eaa6b202fa29172821f7378768
   sha1sum: a901c45a2a02678b0d1722e8f27152c3af12a7ac

   Workstation for Linux 64-bit without VMware Tools
   md5sum: 5116e27e7b13a76693402577bd9fda58
   sha1sum: dbcd045a889b95ac14828b8106631b678354e30a

   VMware Workstation 6.5.4
   ------------------------
   For Windows

http://downloads.vmware.com/download/download.do?downloadGroup=WKST-654-WIN
   Release Notes:
   http://downloads.vmware.com/support/ws65/doc/releasenotes_ws654.html

   Workstation for Windows 32-bit and 64-bit
   Windows 32-bit and 64-bit .exe
   md5sum: 2dc393fcc4e78dcf2165098a4938699a
   sha1sum: acfff457860c8c53c637c01f74f8aaa72d1c9569

   For Linux
   http://downloads.vmware.com/download/download.do?downloadGroup=WKST-654-LX
   Release Notes:
   http://downloads.vmware.com/support/ws65/doc/releasenotes_ws654.html

   Workstation for Linux 32-bit
   Linux 32-bit .rpm
   md5sum: 9efb43a604d50e541eb3be7081b8b198
   sha1sum: 4240d664f85a11f47288d2279224b26bef92aa8b

   Workstation for Linux 32-bit
   Linux 32-bit .bundle
   md5sum: 38760682ad3b2f6bfb4e40f424c95c2a
   sha1sum: ec78099322b5fb2a737cd74a1978a5c07382dc8a

   Workstation for Linux 64-bit
   Linux 64-bit .rpm
   md5sum: 24311492bc515e9bc98eff9b2e7d33a2
   sha1sum: b4947ef09f740440e8a24fc2ba05c0a7c11b82f5

   Workstation for Linux 64-bit
   Linux 64-bit .bundle
   md5sum: ed24296705ad48442549d9cb2b3c0d8d
   sha1sum: 3c0f1efae0a64fa3a41be21b0bfc962f12e0e6d8

   VMware Player 3.0.1
   -------------------
   http://downloads.vmware.com/tryvmware/?p=player&lp=default
   Release notes:
http://downloads.vmware.com/support/player30/doc/releasenotes_player301.html

   Player for Windows 32-bit and 64-bit
   md5sum: 78c92c0242c9540f68a629d4ac49c516
   sha1sum: 7fc255fcd1a6784458012314db1206ed922e92cf

   Player for Linux 32-bit (.bundle)
   md5sum: e7cd19d39c7bbd1aee582743d76a7863
   sha1sum: cff76010f0429576288ea1e5a594cd47a2c64f4a

   Player for Linux 64-bit (.bundle)
   md5sum: 88b08537c6eea705883dc1755b97738c
   sha1sum: 84f25370d24c03a18968a4f4c8e06cef3d21c2df

   VMware VIX API for Windows 32-bit and 64-bit
   md5sum: 2c46fc7e2516f331eb4dd23154d00a54
   sha1sum: 85ceb1b718806c6870e3a918bcc772d1486ccdc9

   VMware VIX API for 32-bit Linux
   md5sum: 8b0994a26363246b5e954f97bd5a088d
   sha1sum: af93da138a158ee6e05780a5c4042414735987b6

   VMware VIX API for 64-bit Linux
   md5sum: ef7b9890c52b1e333f2357760a7fff85
   sha1sum: dfef8531356de78171e13c4c108ebaeb43eaa62d

   VMware Player 2.5.4
   -------------------
   http://downloads.vmware.com/download/player/player_reg.html
   Release notes:
http://downloads.vmware.com/support/player25/doc/releasenotes_player254.html

   Player for Windows 32-bit and 64-bit (.exe)
   md5sum: 531140a1eeed7d8b71f726b3d32a9174
   sha1sum: 2500fa8af48452bd0e97040b80c569c3cb4f73e5

   Player for Linux (.rpm)
   md5sum: 1905f61af490f9760bef54450747e708
   sha1sum: cf7444c0a6331439c5479a4158112a60eb0e6e8d

   Player for Linux (.bundle)
   md5sum: 74f539005687a4efce7971f7ef019af5
   sha1sum: 4c4412c5807ecd00e66886e0e7c43ed61b62aab7

   Player for Linux - 64-bit (.rpm)
   md5sum: 013078d7f6adcdbcbaafbf5e0ae11a39
   sha1sum: 7c434173a3fe446ebefce4803bfaa7ab67d1ff72

   Player for Linux - 64-bit (.bundle)
   md5sum: 175ce2f9656ff10a1327c0d48f80c65f
   sha1sum: bf7acfdcb44bf345d58f79ad1bcb04816f262d22

   VMware ACE 2.6.1
   ----------------
http://downloads.vmware.com/download/download.do?downloadGroup=ACE-261-WIN
   Release notes:
   http://downloads.vmware.com/support/ace26/doc/releasenotes_ace261.html

   VMware Workstation for 32-bit and 64-bit Windows with tools
   md5sum: fc8502a748de3b8f94c5c9571c1f17d2
   sha1sum: 3de01b355b17363a92d80200ff5e7267b3bde206

   VMware Workstation for Windows 32-bit and 64-bit without tools
   md5sum: 6a18ea3847cb727b03f7890f5643db79
   sha1sum: 260b019db4619b0d1d775e5c38cc46b6db250984

   ACE Management Server Virtual Appliance
   md5sum: e26d258c511572064e99774fbac9184c
   sha1sum: 9363656b70caa11a31a6229451202d9f8203c1f5

   ACE Management Server for Windows
   md5sum: e970828f2a5a62ac108879033a70f4b6
   sha1sum: eca89372eacc78c3130781d0d183715055d64798

   ACE Management Server for SUSE Enterprise Linux 9
   md5sum: 59b3ad5964daef2844e72fd1765590fc
   sha1sum: 91048de7665f5dc466f06e2ebc4c08f08026a97f

   ACE Management Server for Red Hat Enterprise Linux 4
   md5sum: 6623f6a8a645402a1c8c351ec99a1889
   sha1sum: a6d74ba072c5a513fcf8993edebaaf7f8225c05d

   VMware ACE 2.5.4
   ----------------
http://downloads.vmware.com/download/download.do?downloadGroup=ACE-254-WIN
   Release notes:
   http://downloads.vmware.com/support/ace25/doc/releasenotes_ace254.html

   VMware ACE for Windows 32-bit and 64-bit
   Windows 32-bit and 64-bit .exe
   md5sum: 2dc393fcc4e78dcf2165098a4938699a
   sha1sum: acfff457860c8c53c637c01f74f8aaa72d1c9569

   ACE Management Server Virtual Appliance
   AMS Virtual Appliance .zip
   md5sum: 3935f23d4a074e7a3429a1c80cfd2155
   sha1sum: 5b09439a9c840d39ae49fbd7a79732ecd58c52a3

   ACE Management Server for Windows
   Windows .exe
   md5sum: 1173bd7da6ed330a262ed4e2eff6562c
   sha1sum: d9bce88a350aa957f3387f870af763875d4d9110

   ACE Management Server for SUSE Enterprise Linux 9
   SLES 9 .rpm
   md5sum: 0bec2cf8d6ae3bb6976c9d8cc2573208
   sha1sum: f3c6d9ee3357535b1540cedd9e86d723e2ed2134

   ACE Management Server for Red Hat Enterprise Linux 4
   RHEL 4 .rpm
   md5sum: 17caa522af79cf1f6b2ebad16a4ac8a5
   sha1sum: cdd6e2a4e3d7ad89f95e60f1af024bea7eaba0fe

   VMware Server 2.0.2
   -------------------
   http://www.vmware.com/download/server/
   Release notes:
  http://www.vmware.com/support/server2/doc/releasenotes_vmserver202.html

   VMware Server 2
   Version 2.0.2 | 203138 - 10/26/09
   507 MB EXE image VMware Server 2 for Windows Operating Systems. A
   master installer file containing all Windows components of VMware
   Server.
   md5sum: a6430bcc16ff7b3a29bb8da1704fc38a
   sha1sum: 39683e7333732cf879ff0b34f66e693dde0e340b

   VIX API 1.6 for Windows
   Version 2.0.2 | 203138 - 10/26/09
   37 MB image
   md5sum: 827e65e70803ec65ade62dd27a74407a
   sha1sum: a14281bc055271a19be3c88026e92304bc3f0e22

   For Linux

   VMware Server 2 for Linux Operating Systems.
   Version 2.0.2 | 203138 - 10/26/09
   37 MB TAR image
   md5sum: 95ddea5a0579a35887bd15b083ffea20
   sha1sum: 14cf12063a7480f240ccd96178ad4258cb26a747

   VMware Server 2 for Linux Operating Systems 64-bit version.
   Version 2.0.2 | 203138 - 10/26/09
   452 MB RPM image
   md5sum: 35c8b176601133749e4055e0034f8be6
   sha1sum: e8dc842d89899df5cd3e1136af76f19ca5ccbece

   The core application needed to run VMware Server 2, 64-bit version.
   Version 2.0.2 | 203138 - 10/26/09
   451 MB TAR image
   md5sum: cc7aef813008eeb7150c21547d431b39
   sha1sum: b65d3d46dc947fc7995bda354c4947afabd23474

   VMware Fusion 3.0.2
   -------------------
   http://downloads.vmware.com/download/download.do?downloadGroup=FUS-302
   Release notes:
http://downloads.vmware.com/support/fusion3/doc/releasenotes_fusion_302.html

   VMware Fusion 3.0.2 (for Intel-based Macs)
   md5sum: aa17278a4a668eeb9f9467e4e3111ccc
   sha1sum: 58c3d63705ac90839f7c1ae14264177e1fd56df3

   VMware Fusion 3.0.2 Light for Mac (for Intel-based Macs)
   md5sum: 052ecbbfc4f59a85e2d08b4bd3ef0896
   sha1sum: 61e00487f4c649588099647d4a5f47ddf5b8ad01

   VMware Fusion 2.0.7
   -------------------
   http://downloads.vmware.com/download/download.do?downloadGroup=FUS-207
   Release notes:
http://downloads.vmware.com/support/fusion2/doc/releasenotes_fusion_207.html

   VMware Fusion 2.0.7 (for Intel-based Macs)
   md5sum: a293f5ce6ccc227760640753386e9da6
   sha1sum: ddfda92f9baf30e536bc485e42325d173a1aa370

   VMware Fusion 2.0.7 Light (for Intel-based Macs)
   md5sum: d4772d118fb90323f598849e70c21189
   sha1sum: 5c1df1597e77ebe0f0555749b281008ca5f2fb77

   VIX API 1.7 Version: 1.7 | 2009-08-26 | 186713
   ----------------------------------------------
   VIX API for Window 32-bit and 64-bit
   Main installation file for Windows 32-bit and 64-bit host
   md5sum:b494fc3092f07d0f29cc06a19fe61306
   sha1sum:aa8638424cb7f25c1e42343134ac9f0bd2c2e0c9

   VIX API for Linux 32-bit
   md5sum:6b0ed8872d8b714363cddc68b6a77008
   sha1sum:8a9b12a61641394b347488119a7120eaa47dc2a1

   VIX API for Linux 64-bit
   md5sum:d57aa9f98058d5a386c18e14cc05bf4d
   sha1sum:3b7d4461ea257e795b322cc080f4ae29a230666b

   VIX API Version: 1.8.1 | 2009-10-11 | 207905
   ---------------------------------------------
   VIX API for Windows 32-bit and 64-bit
   md5sum:4f21e4cb518767bc08045f5a39f5d41f
   sha1sum:5b8275c549f9d9498bd2ed078557f1ce1986ac12

   VIX API for Linux 32-bit
   md5sum:f347e94d907c26754540d59956ee5d53
   sha1sum:6ddc6c9371ba127d04bc83bd55988a6c83366907

   VIX API for Linux 64-bit
   md5sum:b8a3982072d0d42c0c37dd7eb49d686c
   sha1sum:d044ac3dd42f806bc4ff48ddf584b5e3d82910c8

   VIX API Version: 1.10 Beta | 01/28/10 | 222403
   ----------------------------------------------
   VIX API for Windows 32-bit and 64-bit
   md5sum:ac5b6e9197cb68c302bfac9ed683e3af
   sha1sum:0d942e7409e88e684bdb65811e7be7f47d631a73

   VIX API for Linux 32-bit
   md5sum:07d1989d042e317eb9d2b3daf269dda7
   sha1sum:1e3840d426d7dfff53fa7e1bd22b09b56cf2362c

   VIX API for Linux 64-bit
   md5sum:9b345008e0adec3c044988307294944b
   sha1sum:7a54a893369c2227f7e8058430c40983168c6e0b

   ESXi
   ----
   ESXi 4.0 bulletin ESXi400-201002402-BG
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-193-20100228-731251/ESXi400-201002001.zip
   md5sum: e5aa2968d389594abdc59cbac7b0183d
   sha1sum: bb50b3ad7934e3f9e24edc879b35e83b357343b2
   http://kb.vmware.com/kb/1018404

   ESXi 3.5
   --------
   ESXi 3.5 patch ESXe350-200912402-T-BG was first contained in
   ESXe350-200912401-O-BG from December 2009.

   The same patch, ESXe350-200912402-T-BG, is also contained in
   ESXe350-201002401-O-SG from February 2010 ESXi 3.5 security update.

   In latest non-security ESXi 3.5 update, ESXe350-201003402-T-BG is also
   included in ESXe350-201003401-O-BG from March 2010.

   ESXe350-201002401-O-SG (latest security update)
   http://download3.vmware.com/software/vi/ESXe350-201002401-O-SG.zip

   md5sum: 0c8d4d1c0e3c2aed9f785cf081225d83

   http://kb.vmware.com/kb/1015047 (Vi Client)

   http://kb.vmware.com/kb/1016665 (VM Tools)

   http://kb.vmware.com/kb/1017685 (Firmware)

   The three ESXi patches for Firmware "I", VMware Tools "T," and the
   VI Client "C" are contained in a single offline "O" download file.

   ESX
   ---
   ESX 4.0 bulletin ESX400-201002401-BG
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-192-20100228-732240/ESX400-201002001.zip
   md5sum: de62cbccaffa4b2b6831617f18c1ccb4
   sha1sum: 4083f191fa4acd6600c9a87e4852f9f5700e91ab
   http://kb.vmware.com/kb/1018403

   Note: ESX400-201002001 contains the bundle with the security fix,
         ESX400-201002401-BG
   To install an individual bulletin use esxupdate with the -b option.
   esxupdate --bundle ESX400-201002001 -b ESX400-201002401-BG

   ESX 4.0 bulletin ESX400-200911223-UG
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-166-20091202-254879/ESX-4.0.0-update01a.zip
   md5sum: 99c1fcafbf0ca105ce73840d686e9914
   sha1sum: aa8a23416271bc28b6b8f6bdbe00045e36314ebb
   http://kb.vmware.com/kb/1014842

   Note: ESX-4.0.0-update01a contains the bundle with the security fix,
         ESX400-200911223-UG
   To install an individual bulletin use esxupdate with the -b option.
   esxupdate --bundle ESX-4.0.0-update01a -b ESX400-200911223-UG

   ESX 3.5 patch ESX350-200912401-BG
   http://download3.vmware.com/software/vi/ESX350-200912401-BG.zip
   md5sum: f1d3589745b4ae933554785aef22bacc
   sha1sum: d1e5a9209b165d43d75f076e556fc028bec4cc47
   http://kb.vmware.com/kb/1016657

   ESX 3.0.3 patch ESX303-201002203-UG
   http://download3.vmware.com/software/vi/ESX303-201002203-UG.zip
   md5sum: 49ee56b687707cbe6999836c315f081a
   http://kb.vmware.com/kb/1018030

   ESX 2.5.5 Upgrade Patch 15
 http://download3.vmware.com/software/esx/esx-2.5.5-191611-upgrade.tar.gz
   md5sum: c346fe510b6e51145570e03083f77357
   sha1sum: ef6b19247825fb3fe2c55f8fda3cdd05ac7bb1f4
   http://www.vmware.com/support/esx25/doc/esx-255-200910-patch.html

5. References
   http://www.acrossecurity.com/advisories.htm
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1564
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1565
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2042
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3707
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3732
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1138
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1139
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1140
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1142
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1141

6. Change log
2010-04-09 VMSA-2010-0007
Initial security advisory after release of Workstation 6.5.4 and Fusion
2.0.7 on 2010-04-08.

- ------------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  * security-announce at lists.vmware.com
  * bugtraq at securityfocus.com
  * full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2010 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFLvvM8S2KysvBH1xkRAgu/AJ9RrzlOq/5Ug0t8R4qoi/UwDVJDpACbBGgT
d58bjKG6Ic7m/TsoJP4M2tw=
=Q1zv
-----END PGP SIGNATURE-----