HighProventia Desktop, Proventia Network IPS, RealSecure Desktop, RealSecure Network, RealSecure Server Sensor, BlackICE Server Protection, BlackICE PC Protection, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
A malformed DHCP packet sent to a particular DHCP server results in an integer underflow on a value that is later used as a size to copy data. This results in a stack-based buffer overflow and ultimately remote code execution.
High
Proventia Desktop: 1980, Proventia Network IPS: XPU 1.97, RealSecure Desktop: eqd, RealSecure Network: XPU 24.58, RealSecure Server Sensor: XPU 24.58, BlackICE Server Protection: 3.6.cqd, BlackICE PC Protection: 3.6cqd, Proventia Network MFS: XPU 1.97, IBM Security Server Protection for Windows: 1.0.914.1980, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia-G 1.1 and earlier: XPU 24.58, Proventia Network IDS: XPU 24.58, Proventia Server IPS for Linux technology: 1.97, Virtual Server Protection for Vmware: 1.0
Gentoo Linux, RedHat Enterprise Linux: 2.1 AS, RedHat Enterprise Linux: 2.1 ES, RedHat Linux Advanced Workstation: 2.1 Itanium, Canonical Ubuntu: 6.06 LTS, VMware Workstation: 5.5.1, Canonical Ubuntu: 6.10, VMware ESX Server: 3.0.0, VMware ESX Server: 3.0.1, Canonical Ubuntu: 7.04, VMware Workstation: 6.0, VMware ESX Server: 2.5.4, VMware ACE: 1.0, VMware ACE: 1.0.3_build_54075, VMware ACE: 2.0.1_build_55017, VMware ESX Server: 2.0.2, VMware ESX Server: 2.1.3, VMware ESX Server: 2.5.3, EMC VMware Player: 1.0, EMC VMware Player: 1.0.5_build_56455, EMC VMware Player: 2.0.1_build_55017, VMware Server: 1.0.4_build_56528, VMware Workstation: 5.5, VMware Workstation: 5.5.3, VMware Workstation: 5.5.3_build_34685, VMware Workstation: 5.5.5_build_56455, VMware Workstation: 6.0.1_build_55017
Unauthorized Access Attempt
VMware Player, Workstation, Server, and ACE are vulnerable to a stack-based buffer overflow in the built-in Dynamic Host Configuration Protocol (DHCP) server caused by an integer underflow. By sending a malformed DHCP packet, a remote attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges.
For VMware Workstation 6.0.0:
Upgrade to the latest version of VMware Workstation (6.0.1 Build 55017 or later), available from the VMware Web site. See References.
For VMware Workstation 5.5.4:
Upgrade to the latest version of VMware Workstation (5.5.5 Build 56455 or later), available from the VMware Web site. See References.
For VMware Player 2.0.0:
Upgrade to the latest version of VMware Player (2.0.1 Build 55017 or later), available from the VMware Web site. See References.
For VMware Player 1.0.4:
Upgrade to the latest version of VMware Player (1.0.5 Build 56455 or later), available from the VMware Web site. See References.
For VMware Server 1.0.3:
Upgrade to the latest version of VMware Server (1.0.4 Build 56528 or later), available from the VMware Web site. See References.
For VMware ACE 2.0.0:
Upgrade to the latest version of VMware ACE (2.0.1 Build 55017 or later), available from the VMware Web site. See References.
For VMware ACE 1.0.3:
Upgrade to the latest version of VMware ACE (1.0.4 Build 54075 or later), available from the VMware Web site. See References.
For other distributions:
Apply the appropriate update for your system. See References.
VMware, Inc. Web site
VMware Workstation 6.0 Release Notes
http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
VMware, Inc. Web site
Download VMware Workstation for multiple operating systems
http://www.vmware.com/download/ws/
IBM Internet Security Systems Protection Advisory, Sept. 19, 2007
VMWare DHCP Server Remote Code Execution Vulnerabilities
http://www.iss.net/threats/275.html
VMware, Inc. Web site
VMware Workstation Download Archive
http://www.vmware.com/download/ws/ws5.html
VMware, Inc. Web site
Download VMware ACE
http://www.vmware.com/download/ace/
VMware, Inc. Web site
Download VMware Player
http://www.vmware.com/download/player/
VMware, Inc. Web site
VMware Player 2.0 Release Notes
http://www.vmware.com/support/player2/doc/releasenotes_player2.html
VMware, Inc. Web site
VMware ACE 2.0 Release Notes
http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html
VMware, Inc. Web site
Workstation 5.5 Release Notes
http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html
VMWare, Inc. Web site
VMware Player Release Notes
http://www.vmware.com/support/player/doc/releasenotes_player.html
Full-Disclosure Mailing List, Wed Sep 19 2007 - 21:15:23 CDT
VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player
http://archives.neohapsis.com/archives/fulldisclosure/2007-09/0356.html
VMware Security-announce Mailing list, Wed Sep 19 19:15:23 PDT 2007
VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player
http://lists.vmware.com/pipermail/security-announce/2007/000001.html
USN-543-1
linux-restricted-modules-2.6.17/20, vmware-player-kernel-2.6.15 vulnerabilities
http://www.ubuntu.com/usn/usn-543-1
GLSA 200711-23
VMware Workstation and Player: Multiple vulnerabilities
http://www.gentoo.org/security/en/glsa/glsa-200711-23.xml
ISS X-Force
Multiple VMware products DHCP server integer underflow
http://www.iss.net/security_center/static/33103.php
CVE
CVE-2007-0063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0063