Another vulnerability report from VMware
VMWare has issued a security advisory describing additional errors in both its desktop and its server products. An error in the
HGFS.sys driver of the VMware Tools Package can be exploited to allow an unprivileged guest user to escalate his privileges on a Windows guest system. A user logged into the Linux host system can execute arbitrary code on it by exploiting an error in
vmware-authd. The announcment comes only days after VMware reported critical holes in its desktop products.
A hole in the Openwsman system management further allows access with root privileges. Here too, an attacker needs to know the valid login credentials of at least one restricted user. There are more buffer overflows in the VMware VIX API. The report also lists some older holes in open source packages such as unzip, tcltk, cyrus-sasl and Kerberos that are used on VMware server systems.
The original security advisory contains a list of the systems that are affected. VMware has provided updates for all the vulnerable products. If you updated your desktop product at the beginning of the week, you are already up to date. Only operators of the server software need to act.
- VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues, security advisory from VMware