14 DAY TRIAL // VMware has released updates for its Workstation, Player, Fusion, ESXi and ESX products to address four privilege escalation, command injection and remote code execution vulnerabilities.
The first flaw is described in the newly published security advisory as a race condition in VMWare-mount and affects Workstation 7.x for Linux, Player 3.1.x for Linux, and Fusion 3.1.x for Mac OS/X.
The problem stems from the way the mounting process handles temporary files and can be exploited to elevate the privileges of a local user.
A second vulnerability results from the way vmware-mount loads libraries and could be leveraged to execute arbitrary .so files with root privileges.
VMware Server 2.0.2 for Linux is also affected, but since the product has reached end of life in January, it did not receive a security patch.
A third vulnerability exists in VMware Tools and is the result of insufficient input validation in the update routine. An attacker with access to the host can exploit this weakness to inject commands that would get executed with root privileges on the guest operating system.
VMware Workstation 7.x and 6.5.x, Player 3.1.x and 2.5.x, Server 2.0.2, Fusion 3.1.x and 2.x, on all supported operating systems, as well as ESXi and ESX 4.1, 4.0 and 3.5, are affected, but the bug is not a threat when VMware Tools is up to date.
The fourth vulnerability is located in the VMware Movie Decoder and allows for remote code execution with the privileges of the current user.
Attackers can exploit it by tricking users into visiting a maliciously crafted Web page (drive-by download) or opening a malformed video file. The flaw affects VMware Workstation, Player and Server for Windows.
All of these vulnerabilities are fixed in the newly released Workstation 7.1.2 Build 301548, 6.5.5 Build 328052 and Player 3.1.2 Build 301548, 2.5.5 Build 328052 for Windows and Linux.
The patches for ESXi and ESX are: ESXi410-201010402-BG for ESXi 4.1, ESXi400-201009402-BG for ESXi 4.0, ESXe350-201008402-T-BG for ESXi 3.5, ESX410-201010405-BG for ESX 4.1, ESX400-201009401-SG for ESX 4.0 and ESX350-201008409-BG for ESX 3.5.