We were fixing links the other day and found some old memories. If you are an IT admin, web hosting admin, or have any clue about virtualization of operating systems, you know about vmware.
Back in the day (1999), our security teams discovered vulnerabilities in vmware. Yeah, we are feeling old... Congrats to vmware for their successful IPO. We hope they continue to shine as they continue to refine their products.
Here's the security advisory for old times sakes:
VMware Security Alert
Date: June 25th, 1999
On June 22nd, 1999, VMware, Inc. was notified of a security problem with VMware for Linux 1.0.1. This security hole is
also present in all previous versions of VMware for Linux. The security hole has been fixed in VMware for Linux 1.0.2
released today. The security hole allows a buffer overrun attack against VMware for Linux to result in unprivileged root
access to a machine. An updated version of VMware for Linux which fixes this problem is available now, see below. As
far as we know, this breach has never been used for malicious purposes, or caused any harm to customer installations.
VMware, Inc. apologizes for the inconvenience to our users.
Vulnerable Systems
The security hole allows an attack to occur during VMware startup, but before a virtual machine is powered on. Guest
operating systems themselves are unlikely to be affected by these buffer overflow attacks. Systems most vulnerable to
this attack are multi-user Linux systems that have VMware installed. A malicious user with access to an account on the
system could exploit the hole. Stand alone single-user machines are not at high risk from this security hole. This hole
does not allow direct network based 'worm' style attacks against VMware.
This security hole was discovered by Asylum Security, a division of CyberSpace 2000,
response team. VMware has taken immediate action in response to this event. VMware for Linux 1.0.2 was made
available for download on June 25th, 1999 on our web site and mirror sites. The shipment of CD-ROMs has been
suspended and the inventory discarded. Customers who have purchased VMware for have been notified by electronic mail,
VMware has also posted security alerts to newsgroups at news.vmware.com.
Affected VMware Releases
This security hole is present in VMware for Linux 1.0.1 and all previous versions, including the beta versions
(build-106, build-135, build-152) and the experimental version (build-179). VMware recommends that users replace
beta and experimental versions with VMware for Linux 1.0.2. An updated VMware for Linux experimental release with
fixes for this security hole will be made available in the near future.
How to Close this Security Hole
The security hole can be closed by simply upgrading to VMware for Linux version 1.0.2:
1.Download VMware for Linux 1.0.2 from one of our mirror sites
2.Untar the distribution.
tar zxvf vmware-1.0.2.tar.gz
3.Change directory to vmware-install
cd vmware-install
4.As root, install VMware for Linux
su
./install.pl
You will first be asked whether you want to upgrade VMware for Linux. Simply answer yes at this point and
then follow any installer instructions.
NOTE: It is not possible to resolve this security problem by removing suid (Set User ID) root privileges from
the VMware executable. VMware must be suid root to run correctly.
Reporting Security Issues
VMware is committed to addressing security issues and providing customers with information on how they can protect
themselves. If you identify what you believe may be a security issue with a VMware product, please send an email to
security@vmware.com. We will work to appropriately address and communicate the issue.
Notification of Security Alerts
When VMware becomes aware of a security issue that significantly affects our products, we will take action to notify
affected customers. Typically this notification will be in the form of a security bulletin explaining the issue, and where
possible a response to the problem. These bulletins will both be emailed to affected customers and posted on our web site
and newsgroups at news.vmware.com.
Posts
