__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN VMware ESX Server 2.5.3 Upgrade Patch 2 [VMware ESX-253-200606] August 25, 2006 17:00 GMT Number Q-299 ______________________________________________________________________________ PROBLEM: Certain versions of VMware ESX Server store passwords in a plain text that all users have read permissions to. PLATFORM: VMware ESX prior to 2.5.3 upgrade patch 2 VMware ESX prior to 2.1.3 upgrade patch 1 VMware ESX prior to 2.0.2 upgrade patch 1 DAMAGE: Local users can read the passwords of any user who changed their password through the web interface. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. Local users can read the passwords of any user ASSESSMENT: who changed their password through the web interface. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-299.shtml ORIGINAL BULLETIN: VMware ESX-253-200606-patch http://www.vmware.com/download/esx/esx-253-200606-patch.html ADDITIONAL LINK: US-CERT VU#822476 http://www.kb.cert.org/vuls/id/822476 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2005-3620 ______________________________________________________________________________ [***** Start VMware ESX-253-200606 *****] VMware ESX Server 2.5.3 Upgrade Patch 2 (for 2.5.3 Systems Only) This patch is for ESX Server 2.5.3 and addresses the following issues: * This patch includes a change in SCSI error handling. Prior to this patch, certain SCSI behaviors resulted in an error condition being passed to guest operating systems. After ESX Server 2.5.3 Upgrade Patch 2 is applied, the guest operating system will be passed a retry for its I/O rather than receiving the error condition. * This patch refines runt-packet padding behavior in order to accommodate relatively rare circumstances where Ethernet frames are dropped and/or flagged as suspicious by a network security appliance. * This patch fixes a bug that caused the VMware Management Interface not to display some groups defined in /etc/group. This is also fixed for ESX Server 2.1.3 in ESX Server 2.1.3 Upgrade Patch 1. * This patch enables the use of non-alphanumeric characters in passwords in the VMware Management Interface without generating an error message.This is also fixed for ESX Server 2.1.3 in ESX Server 2.1.3 Upgrade Patch 1. For additional information, refer to KB 2098. * This patch enables support for the Sun StorageTek FLX-380 storage array. Applicability This patch is an ESX Server 2.5.3 patch. Please make sure that ESX Server 2.5.3 build 22981 or later is installed before applying this patch. Run vmware -v to display version and build information for your system. Please DO NOT apply this patch on SunFire X4100 or X4200 servers. For further details, please refer to knowledge base article 2085: Installing ESX 2.5.3 on SunFire x4100 and x4200 Servers. Installing the Update Note: VMware recommends backing up your ESX Server installation before installing this patch. Also, a minimum of 200 MB of temporary free space on "/" filesystem is required for installing this patch. This update requires you to boot your server into Linux mode to perform the upgrade. When you are prompted to reboot at the end of the upgrade, the installer will restart your system to run ESX Server. 1. Power off all virtual machines. 2. Restart your system. 3. At the LILO Boot Menu, select the option appropriate for your system. * For a boot-from-SAN installation, select esx-san-safe. * For all other installations, select linux-up. 4. Log in as root into the ESX Server service console, in Linux mode. 5. Download the tar file into the temporary directory under /root on your ESX Server console. 6. Change your working directory to that directory. 7. Verify the integrity of the package: # md5sum esx-2.5.3-27728-upgrade.tar.gz The md5 checksum output should match the following: ddb67afe2a48a04fb764af2497d6b75c esx-2.5.3-27728-upgrade.tar.gz 8. Extract the compressed tar archive: # tar -xvzf esx-2.5.3-27728-upgrade.tar.gz 9. Change to the newly created directory: # cd esx-2.5.3-27728-upgrade 10.Run the installer: # ./upgrade.pl 11.The system updates have now been installed. A reboot prompt displays: Reboot the server now [y/n]? This update will not be complete until you reboot the ESX Server. If you enter N, to indicate that you will not reboot at this time, ESX Server displays the warning message "Please reboot the server manually. Your virtual machines will not run properly until this is done." If you see this message, you must manually reboot the server to complete the driver update. 12.At the reboot prompt, enter Y to reboot the server. [***** End VMware ESX-253-200606 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of VMware for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-289: Vulnerability May Allow Users With the "File System Management" RBAC Profile to Gain Elevated Privileges Q-290: Xsan Filesystem 1.4 Q-291: Buffer Overflow in the format(1M) Command Q-292: XFree86 Security Update Q-293: Kernel Security Update Q-294: Multiple Security Vulnerabilities in Mozilla 1.4 and 1.7 Q-295: ImageMagick Security Update Q-296: HP OpenView Storage Data Protector Q-297: Cisco Unintentional Password Modification Vulnerability in Cisco Firewall Products Q-298: Cisco VPN 3000 Concentrator FTP Management Vulnerabilities