ISC Update: VMWare vulnerability announced/fixed and more fun from Symantec

[genXer]

Hello all-

Don't mean to keep updating from ISC - but my ticker for it just went off and I thought you should be updated:

VMWare vulnerability announced and fixed (NEW)

Link: http://isc.sans.org/diary.php?storyid=950

Story so far:

Published: 2005-12-21,
Last Updated: 2005-12-21 21:28:46 UTC by Jim Clausing (Version: 1)

A report showed up on the bugtraq and vulnwatch mailing lists in the last few hours about a vulnerability (discovered by Tim Shelton) in a number of VMWare products (including Workstation, GSX, ACE, and player), that would allow the attacker to escape the virtual machine and execute code in the underlying host OS. There are new builds which correct the issue (VMWare Workstation 5.5 is now up to build 19175, e.g.) dated 20 Dec on their website, and the bulletin has a timeline section that states that VMWare acknowledged the vulnerability when they released the new builds. This one is pretty significant for folks who use VMWare for malware analysis or even to isolate/sandbox their web browsing and you are urged to update to the latest build or disable NAT as soon as possible. From looking at the bulletin, it appears that Mr. Shelton has created a Metasploit module to exploit this vulnerability.

The vulnwatch article is here.
The Secunia advisory is here
VMWare's response is here.

---------------------------------
Jim Clausing, jclausing at isc.sans.org

Also - update from news on a new vulnerability for the AV RAR Library spanning many AV products from Symantec... hmm... open-source AV scanners are starting to look good right-about-now.

Symantec AV RAR library vulnerability

Link: http://isc.sans.org/diary.php?storyid=949

Story so far:

Symantec AV RAR library vulnerability (NEW)
Published: 2005-12-21,
Last Updated: 2005-12-21 20:19:58 UTC by Jim Clausing (Version: 2(click to highlight changes))

Yesterday, Alex Wheeler released details of a vulnerability that appears to span many Symantec A/V products in the routines for decoded RAR compressed files. Symantec is apparently working feverishly on a fix, but for the moment the recommendation is to disable scanning of these files (which I suppose is fine if we can convince the users not to open/uncompress them until Symantec has a fix or they can be scanned by some other A/V product) or block them completely at gateways/proxies. We are not currently aware of exploits in the wild, but the concern is that this has occurred so close to the end-of-year holidays, even if a fix does come out in the next few days, will people be around to apply it.

For complete details see, the Bugtraq posting, the Secunia advisory, and what I believe is Alex's paper.

We'll bring you more info as it becomes available.

Update: Symantec is apparently distributing a new pattern/definition that may detect the malformed RAR files while they continue to work on fixing the underlying vulnerability.

----------------------
Jim Clausing, jclausing at isc.sans.org

In case the links in the quote don't work, please refer to the Storm Center: http://isc.sans.org/index.php

[cabby80]

Definately issues to be aware of, as far as the VMware one is concerned though it only effects you if you are using the vmnat.exe - so you are connecting to the internet with you virtual machine NAT'd behind you physical machine.

For most corporate server virtualisation users, this will not be an issue as the will be using the virtual machine in bridged networking mode - virtual machine has its own IP and physical access to the network. But users should definitely be aware and update if they are using NAT.

Also as an aside VMWare ESX is not affected. Here is the advisory from vmware:
http://www.securityfocus.com/archive.../30/0/threaded