Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-245: VMware Fusion vmx86 Kernel Extension Bugs Let Local Host OS Users Gain Elevated Privileges and Deny Service on the Host

[CVE-2009-3281 & CVE-2009-3282]

October 5, 2009 13:00 GMT
PROBLEM: VMware Fusion 2.0.6 addresses a denial of service and code execution vulnerability.
PLATFORM: VMware Fusion 2.0.5 and earlier.
ABSTRACT: Two vulnerabilities were reported in VMware Fusion. A local user on the host operating system can obtain elevated privileges on the target host operating system. A local user on the host operating system can cause denial of service conditions on the host operating system.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-245.shtml
  OTHER LINKS: Security Tracker
http://securitytracker.com/alerts/2009/Oct/1022981.html
VMware Security Advisory
http://www.vmware.com/security/advisories/VMSA-2009-0013.html

  CVE: CVE-2009-3281
CVE-2009-3282
IMPACT ASSESSMENT: This risk is low. A local user on the host operating system can obtain elevated privileges, or can cause denial of service conditions on the host operating system. 
[***** Start CVE-2009-3281 & CVE-2009-3282 *****]
Discussion:
VMware Fusion 2.0.6 addresses a denial of service and code execution vulnerability.

Kernel code execution vulnerability:

An file permission problem in the vmx86 kernel extension allows for executing arbitrary code in the host system kernel context by an unprivileged user on the host system.  The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3281 to this issue.

Kernel denial of service vulnerability:

An integer overflow vulnerability in the vmx86 kernel extension allows for a denial of service of the host by an unprivileged user on the host system.  The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3282 to this issue.

Solution:
Please review the patch/release notes for your product and version and verify the md5sum and/or the sha1sum of your downloaded file.

VMware Fusion 2.0.6 (for Intel-based Macs): Download including VMware Fusion and a 12 month complimentary subscription to McAfee VirusScan Plus 2009

   md5sum: d35490aa8caa92e21339c95c77314b2f
   sha1sum: 9c41985d754ac718032a47af8a3f98ea28fddb26

VMware Fusion 2.0.6 (for Intel-based Macs): Download including only VMware Fusion software

   md5sum: 2e8d39defdffed224c4bab4218cc6659
   sha1sum: 453d54a2f37b257a0aad17c95843305250c7b6ef

Release notes
www.vmware.com/support/fusion2/doc/releasenotes_fusion_206.html

[***** End CVE-2009-3281 & CVE-2009-3282 *****]
DOE-CIRC wishes to acknowledge the contributions of VMware for the information contained in this bulletin.
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788