is any VMware software (ESXI, Fusion workstation, etc) suscpetible to this new (actually a decade old or so it seems)
vulnerability?
Any remedies on hand yet?
Hi setjam,
I'm sure our security team is in the process of assessing the situation; I'm not aware of any official statement regarding that issue at this time.
Keep an eye on the resources at the VMware Security Response Center (vSRC) and perhaps sign up to the security advisories mailing list to be sure you have the latest information.
Thanks,
--
Darius
No message from vSRC yet however this security announcement is very important.
I just discoverd that on a fresh patched ESXi 5.5 the machine is still vulnerable according to this test:
$ wget https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c
$ gcc GHOST.c -o GHOST
$ ./GHOST
[responds vulnerable OR not vulnerable ]
As gcc is not available on a ESXi you need to compile it on a comparable linux machine.
VMware needs to act fast. Citrix has already some information on CVE-2015-0235 for their products.
Official blog and KB from VMware:
KB: VMware KB: VMware Response to CVE-2015-0235 - glibc gethostbyname buffer overflow, aka "Ghost”
Hi IYbema, and welcome to the VMware Communities!
You've demonstrated that your host includes a vulnerable version of the library, but that does not demonstrate that the host is vulnerable. For the host to be vulnerable, there needs to be a pathway for an attacker to trigger the vulnerable function in a very specific way, and an attacker generally does not start off with access to a shell on an ESXi host... The latest updates from our security team (see the links posted a moment ago by vickyvision2020) indicate that there are no such pathways allowing for the function to be exploited.
In the absence of a pathway to exploit the vulnerability, the KB article says that "VMware products that ship with vulnerable versions of glibc will be updated in upcoming releases in accordance with our security response policy", which seems to be an eminently sensible middle-ground: In the absence of an exploit pathway, there's no mad rush to patch, but we'll still make sure the issue is fixed in due course.
Cheers,
--
Darius