Summary
The remote ESXi is missing one or more security related Updates from VMSA-2012-0011.
Summary
VMware Workstation, Player, Fusion, ESXi and ESX patches address security issues.
Relevant releases:
Workstation 8.0.3
Workstation 7.1.5
Player 4.0.3
Player 3.1.5
Fusion 4.1.2
ESXi 5.0 without patch ESXi500-201206401-SG
ESXi 4.1 without patch ESXi410-201206401-SG
ESXi 4.0 without patch ESXi400-201206401-SG
ESXi 3.5 without patch ESXe350-201206401-I-SG
ESX 4.1 without patch ESX410-201206401-SG
ESX 4.0 without patch ESX400-201206401-SG
ESX 3.5 without patch ESX350-201206401-SG
Problem Description
a. VMware Host Checkpoint file memory corruption
Input data is not properly validated when loading Checkpoint files. This may allow an attacker with the ability to load a specially crafted Checkpoint file to execute arbitrary code on the host.
VMware would like to thank Thorsten Tüllmann for reporting this issue to us.
Workaround - None identified
Mitigation - Do not import virtual machines from untrusted sources.
b. VMware Virtual Machine Remote Device Denial of Service
A device (e.g. CD-ROM, keyboard) that is available to a virtual machine while physically connected to a system that does not run the virtual machine is referred to as a remote device.
Traffic coming from remote virtual devices is incorrectly handled. This may allow an attacker who is capable of manipulating the traffic from a remote virtual device to crash the virtual machine.
Workaround - None identified
Mitigation - Users need administrative privileges on the virtual machine in order to attach remote devices. - Do not attach untrusted remote devices to a virtual machine.
Solution
Apply the missing patch(es).
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2012-3288, CVE-2012-3289 -
CVSS Base Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- VMSA-2011-0004.3 VMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm.
- VMSA-2012-0006 VMware ESXi and ESX address several security issues
- VMSA-2013-0002 VMware ESX, Workstation, Fusion, and View VMCI privilege escalation vulnerability
- VMSA-2010-0018 VMware hosted products and ESX patches resolve multiple security issues
- VMSA-2013-0012 VMware vSphere updates address multiple vulnerabilities