-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0075 Title: VMware Workstation, Player, Fusion, ESXi and ESX patches address security issues [1] Version history: 21.06.2012 Initial publication Summary ======= VMware products allow user-assisted remote attackers to execute arbitrary code on the host OS or cause a denial of service (memory corruption) on the host OS via a crafted Checkpoint file. [2] CVE-2011-3288 CVSS v2 Base Score:4.6 (MEDIUM) (AV:A/AC:H/Au:N/C:N/I:N/A:C) [2,3] Vulnerable systems ================== VMware Workstation 7.x before 7.1.6 and 8.x before 8.0.4 VMware Player 3.x before 3.1.6 and 4.x before 4.0.4 VMware Fusion 4.x before 4.1.3 VMware ESXi 3.5 through 5.0 VMware ESX 3.5 through 4.1 Original Details ================ Input data is not properly validated when loading Checkpoint files. This may allow an attacker with the ability to load a specially crafted Checkpoint file to execute arbitrary code on the host. [1] What can you do? ================ A table in [1] lists the action required to remediate the vulnerability in each release, if a solution is available. No workaround have as yet been identified. VMware recommend that admins do not import virtual machines from untrusted sources.[1] What to tell your users? ======================== N/A More information ================ [1] http://www.vmware.com/security/advisories/VMSA-2012-0011.html [2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3288 [3] More information about CVSS is available at: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJP5GHxOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4Oq4Q//aLXLJDY4 3RKDexsa6Kj04GQYNhp5Ry8uv15ZU268kmAfwnhcdYec9Mr6HYQ3Z4GEvWO9EdYa yqjiH/X8P1WNh4G3Yf2f6twGqp4JqhnxMMAIiJVZwEry0NsN72/hvKN+D4Z0STl+ ctXdFXIxsIkydYHNFHebMN8f9+MpiBIQkwDn+Nh4QGGobuto7FWlYmSVe1yYTi5j ck4d7XBAdJVOBP83J/XH3WU1An69yWemFxWH6Tkc3ikS52BixHZjUiMM3q6VX+Tu ZjFvCfG7n/QXkZ3QTf4dqxGxpNs3t+mCXJSClTyV7KoYVtZYTT1q1X6KP601Rf7I yiyUtkN7WwqqtR3VcBPKzEDvL/lk+kK55FYbY7xGnCqGlS8AEz3lqiZBR5vYrVeK t/xeeClHSK8tNBHm0iN8O9d5y66S8a2PuD+pfcWzIExllm4AAVxLwo2uKuvP5xBy 7/nzxHHvha+0fijyMiuJN4o3MjJ4IFm0A5e5sedFTejSH8mj/9qnLlTD7K8nlSV/ PDx4y1BnzajNe5XG+9b359MpHUmF6F/h85MXIzO2UQvcC4S3neiFl6IJla3hgUIr +xo7JXEM//i0o464ju0jdNAZPBPWt/jTdtKzQxbZDHzYSuErEouFv5DTBINAAQEK +Jrbp/O3AQqIA15yLi9WHIfabst5VdvaS/U= =T0BG -----END PGP SIGNATURE-----