14 DAY TRIAL // VMware has released security updates for its VMware Workstation and VMware VIX API products in order to address a local privilege escalation vulnerability.
The flaw, identified as CVE-2011-1126, is located in the vmrun utility which is used to perform tasks on virtual machines.
Since vmrun is a Linux-only utility, only Linux versions of VMWare Workstation and VMware VIX API are vulnerable.
The vmrun utility requires the VIX libraries and is installed by default by VMware Workstation, but its exploitation requires a non-standard filesystem configuration.
"In non-standard filesystem configurations, an attacker with the ability to place files into a predefined library path, could take execution control of vmrun," the vendor explains in its advisory.
The company thanks researcher Tim Brown for reporting the issue and advises all customers to upgrade to VIX API 1.10.3 and VMware Workstation 7.1.4 build 385536.
Users who still use VMware Workstation 6.5.x can download a patched 32- or 64-bit version of vmrun from KB1035509 and replace /usr/bin/vmrun with it.
VMware Workstation is the company's main virtualization product and allows customers to install and run multiple operating systems as virtual machines.
The VIX API is a development tool for writing virtual machine automation scripts that can be used to start programs or manipulate files in guest operating systems. It supports C, Perl, and COM (Visual Basic, VBscript, C#).
The new VMware Workstation 7.1.4 also addresses stability issues and brings several other improvements. For example, the main memory VA cache size has been increased to 1000 MB to improve performance.
A bug preventing videos larger than 1GB from being captured with the Capture Movie option was also resolved and so were crashes caused by cryptographic operations on Windows systems with more than 4 GB of memory.