VMware Cloud Community
sejtam
Contributor
Contributor
‎01-27-2015 07:08 PM

Susceptible to CVE-2015-0235 ?

CVE -CVE-2015-0235

is any VMware software (ESXI, Fusion workstation, etc) suscpetible to this new (actually a decade old or so it seems)

vulnerability?

Any remedies on hand yet?

0 Kudos
4 Replies
dariusd
VMware Employee
VMware Employee
‎01-27-2015 09:00 PM

Hi setjam,

I'm sure our security team is in the process of assessing the situation; I'm not aware of any official statement regarding that issue at this time.

Keep an eye on the resources at the VMware Security Response Center (vSRC) and perhaps sign up to the security advisories mailing list to be sure you have the latest information.

Thanks,

--

Darius

0 Kudos
IYbema
Contributor
Contributor
‎01-28-2015 11:37 PM

No message from vSRC yet however this security announcement is very important.

I just discoverd that on a fresh patched ESXi 5.5 the machine is still vulnerable according to this test:

$ wget https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c
$ gcc GHOST.c -o GHOST
$ ./GHOST
[responds vulnerable OR not vulnerable ]

As gcc is not available on a ESXi you need to compile it on a comparable linux machine.

VMware needs to act fast. Citrix has already some information on CVE-2015-0235 for their products.

0 Kudos
vThinkBeyondVM
VMware Employee
VMware Employee
‎01-29-2015 08:09 PM

Official blog and KB from VMware:

Blog:http://blogs.vmware.com/security/2015/01/vmware-products-ghost-glibc-gethostbyname-buffer-overflow-c...

KB: VMware KB: VMware Response to CVE-2015-0235 - glibc gethostbyname buffer overflow, aka "Ghost”


----------------------------------------------------------------
Thanks & Regards
Vikas, VCP70, MCTS on AD, SCJP6.0, VCF, vSphere with Tanzu specialist.
https://vThinkBeyondVM.com/about
-----------------------------------------------------------------
Disclaimer: Any views or opinions expressed here are strictly my own. I am solely responsible for all content published here. Content published here is not read, reviewed or approved in advance by VMware and does not necessarily represent or reflect the views or opinions of VMware.

0 Kudos
dariusd
VMware Employee
VMware Employee
‎01-29-2015 09:22 PM

Hi IYbema, and welcome to the VMware Communities!

You've demonstrated that your host includes a vulnerable version of the library, but that does not demonstrate that the host is vulnerable.  For the host to be vulnerable, there needs to be a pathway for an attacker to trigger the vulnerable function in a very specific way, and an attacker generally does not start off with access to a shell on an ESXi host...  The latest updates from our security team (see the links posted a moment ago by vickyvision2020) indicate that there are no such pathways allowing for the function to be exploited.

In the absence of a pathway to exploit the vulnerability, the KB article says that "VMware products that ship with vulnerable versions of glibc will be updated in upcoming releases in accordance with our security response policy", which seems to be an eminently sensible middle-ground: In the absence of an exploit pathway, there's no mad rush to patch, but we'll still make sure the issue is fixed in due course.

Cheers,

--

Darius

0 Kudos