Details
Release date: May 3, 2012
| Patch Classification | Security See KB 2014447 if using Update Manager 5.0 |
| Build | For build information, see KB 2019860. |
| Host Reboot Required | Yes |
| Virtual Machine Migration or Shutdown Required | Yes |
| PRs Fixed | 866126, 871713, 871886 |
| Affected Hardware | N/A |
| Affected Software | N/A |
| VIBs Included |
|
| Related CVE numbers | CVE-2012-2448, CVE-2012-2449, CVE-2012-2450 |
Solution
Summaries and Symptomsa
This patch contains fixes for the following security issues:ESXi NFS traffic parsing vulnerability
Due to a flaw in the handling of NFS traffic it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi host without authentication. The issue is not present in cases where there is no NFS traffic.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2448 to this issue.
The following paragraphs detail workarounds and mitigating controls that might be available to remove the potential for exploiting the issue and to reduce the exposure that the issue poses.
Workaround: None identified.
Mitigation:
- Connect only to trusted NFS servers.
- Segregate the NFS network
- Harden your NFS server.
Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2449 to this issue.
The following paragraphs detail workarounds and mitigating controls that might be available to remove the potential for exploiting the issue and to reduce the exposure that the issue poses.
Workaround: Remove the virtual floppy device from the list of virtual I/O devices. The VMware hardening guides recommend removing unused virtual I/O devices in general.
Mitigation: Do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this vulnerability.
Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2450 to this issue.
The following paragraphs detail workarounds and mitigating controls that might be available to remove the potential for exploiting the issue and to reduce the exposure that the issue poses.
Workaround: Remove the virtual SCSI controller from the list of virtual I/O devices. The VMware hardening guides recommend removing unused virtual I/O devices in general.
Mitigation: Do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this issue.
Based on VMware KB 2019862
