This advisory was made on 06/21/99 and was to be released on 06/28/99 (or after a fix was released). We would like to recognize the VMware staff and their responsiveness to the bug reports. Last night, customers who purchased their product received notices to upgrade to VMware v1.0.2. For more information on the VMware bugs, visit: http://www.vmware.com/news/security.html http://www.cyberspace2000.com/security/advisories -Don Sausa ----------[asylum security]------------ id: #99021, team director e-mail: donat_private web: http://cyberspace2000.com/security --------------------------------------- Team Asylum Security Copyright (c) 1999 By CyberSpace 2000 http://www.cyberspace2000.com/security Source: Seth L. [sethat_private] Advisory Date: 06/21/99 Release Date: 06/28/99 [ Final Revision: 06/25/99 ] Affected -------- VMware v1.0.1 and earlier for Linux. Product Description ------------------- VMware v1.0.1 is a software product by VMware, Inc. that creates a virtual machine in which you can install multiple operating systems without repartitioning or formatting your hard drive. Vulnerability Summary --------------------- Team Asylum has found multiple buffer overflows existing in VMware v1.0.1 for Linux. Earlier versions also have the same buffer overflows. VMware Inc. has been notified of these overflows and they have released VMware v1.0.2 as a fix. Any local user can exploit these overflows to gain root access. Fix --- All users are encouraged to upgrade to VMware v1.0.2. You may download it directly off http://www.vmware.com. Special Thanks -------------- Special thanks to VMware staff for responding quickly to our bug reports. Within 3 days, they have managed to fix the overflows, as well as stop the physical distribution of their v1.0.1 product. All customers who have purchased VMware have been notified as of 06/25/99 12:00 midnight (PST) about the new VMware v1.0.2 version.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:13 PDT