New WatchGuardONE program ties higher margins to higher customer service levels and allows resellers to get unprecedented combined discounts of more than 70 percent
Original release date: July 31, 2014 | Last revised: August 27, 2014
Point-of-Sale Systems
Â
This advisory was prepared in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), Financial Sector Information Sharing and Analysis Center (FS-ISAC), and Trustwave Spiderlabs, a trusted partner under contract with the USSS. The purpose of this release is to provide relevant and actionable technical indicators for network defense against the PoS malware dubbed “Backoff” which has been discovered exploiting businesses’ administrator accounts remotely and exfiltrating consumer payment data.
Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the “Backoff†malware. Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected.
Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft’s Remote Desktop [1], Apple Remote Desktop [2], Chrome Remote Desktop [3], Splashtop 2 [4], and LogMeIn [5] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request.
Organizations that believe they have been impacted should contact their local Secret Service field office and may contact the NCCIC for additional information.
“Backoff†is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff†malware including 1.4, 1.55 (“backoffâ€, “gooâ€, “MAYâ€, “netâ€), and 1.56 (“LASTâ€).
These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection component:
The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoffâ€. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.
Variants
Based on compiled timestamps and versioning information witnessed in the C2 HTTP POST requests, “Backoff†variants were analyzed over a seven month period. The five variants witnessed in the “Backoff†malware family have notable modifications, to include:
1.55 “backoffâ€
1.55 “gooâ€
1.55 “MAYâ€
1.55 “netâ€
1.56 “LASTâ€
Command & Control Communication
All C2 communication for “Backoff†takes place via HTTP POST requests. A number of POST parameters are included when this malware makes a request to the C&C server.
The ‘id’ parameter is stored in the following location, to ensure it is consistent across requests:
If this key doesn’t exist, the string will be generated and stored. Data is encrypted using RC4 prior to being encoded with Base64. The password for RC4 is generated from the ‘id’ parameter, a static string of ‘jhgtsd7fjmytkr’, and the ‘ui’ parameter. These values are concatenated together and then hashed using the MD5 algorithm to form the RC4 password. In the above example, the RC4 password would be ‘56E15A1B3CB7116CAB0268AC8A2CD943 (The MD5 hash of ‘vxeyHkSjhgtsd7fjmytkrJosh @ PC123456).
File Indicators:
The following is a list of the Indicators of Compromise (IOCs) that should be added to the network security to search to see if these indicators are on their network.
1.4
Packed MD5: 927AE15DBF549BD60EDCDEAFB49B829E
Unpacked MD5: 6A0E49C5E332DF3AF78823CA4A655AE8
Install Path: %APPDATA%AdobeFlashPlayermswinsvc.exe
Mutexes:
uhYtntr56uisGst
uyhnJmkuTgD
Files Written:
%APPDATA%mskrnl
%APPDATA%winserv.exe
%APPDATA%AdobeFlashPlayermswinsvc.exe
Static String (POST Request): zXqW9JdWLM4urgjRkX
Registry Keys:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service
User-Agent: Mozilla/4.0
URI(s): /aircanada/dark.php
1.55 “backoffâ€
Packed MD5: F5B4786C28CCF43E569CB21A6122A97E
Unpacked MD5: CA4D58C61D463F35576C58F25916F258
Install Path: %APPDATA%AdobeFlashPlayermswinhost.exe
Mutexes:
Undsa8301nskal
uyhnJmkuTgD
Files Written:
%APPDATA%mskrnl
%APPDATA%winserv.exe
%APPDATA%AdobeFlashPlayermswinhost.exe
%APPDATA%AdobeFlashPlayerLocal.dat
%APPDATA%AdobeFlashPlayerLog.txt
Static String (POST Request): ihasd3jasdhkas
Registry Keys:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
URI(s): /aero2/fly.php
1.55 “gooâ€
Pa cked MD5: 17E1173F6FC7E920405F8DBDE8C9ECAC
Unpacked MD5: D397D2CC9DE41FB5B5D897D1E665C549
Install Path: %APPDATA%OracleJavajavaw.exe
Mutexes:
nUndsa8301nskal
nuyhnJmkuTgD
Files Written:
%APPDATA%nsskrnl
%APPDATA%winserv.exe
%APPDATA%OracleJavajavaw.exe
%APPDATA%OracleJavaLocal.dat
%APPDATA%OracleJavaLog.txt
Static String (POST Request): jhgtsd7fjmytkr
Registry Keys:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service
User-Agent:
URI(s): /windows/updcheck.php
1.55 “MAYâ€
Packed MD5: 21E61EB9F5C1E1226F9D69CBFD1BF61B
Unpacked MD5: CA608E7996DED0E5009DB6CC54E08749
Install Path: %APPDATA%OracleJavajavaw.exe
Mutexes:
nUndsa8301nskal
nuyhnJmkuTgD
Files Written:
%APPDATA%nsskrnl
%APPDATA%winserv.exe
%APPDATA%OracleJavajavaw.exe
%APPDATA%OracleJavaLocal.dat
%APPDATA%OracleJavaLog.txt
Static String (POST Request): jhgtsd7fjmytkr
Registry Keys:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service
User-Agent:
URI(s): /windowsxp/updcheck.php
1.55 “netâ€
Packed MD5: 0607CE9793EEA0A42819957528D92B02
Unpacked MD5: 5C1474EA275A05A2668B823D055858D9
Install Path: %APPDATA%AdobeFlashPlayermswinhost.exe
Mutexes:
nUndsa8301nskal
Files Written:
%APPDATA%AdobeFlashPlayermswinhost.exe
%APPDATA%AdobeFlashPlayerLocal.dat
%APPDATA%AdobeFlashPlayerLog.txt
Static String (POST Request): ihasd3jasdhkas9
Registry Keys:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service
User-Agent:
URI(s): /windowsxp/updcheck.php
1.56 “LASTâ€
Packed MD5: 12C9C0BC18FDF98189457A9D112EEBFC
Unpacked MD5: 205947B57D41145B857DE18E43EFB794
Install Path: %APPDATA%OracleJavajavaw.exe
Mutexes:
nUndsa8301nskal
nuyhnJmkuTgD
Files Written:
%APPDATA%nsskrnl
%APPDATA%winserv.exe
%APPDATA%OracleJavajavaw.exe
%APPDATA%OracleJavaLocal.dat
%APPDATA%OracleJavaLog.txt
Static String (POST Request): jhgtsd7fjmytkr
Registry Keys:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service
HKLM SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service
HKCUSOFTWARE\MicrosoftActive SetupInstalled Components{B3DB0D62-B481-4929-888B-49F426C1A136}StubPath
HKLMSOFTWARE\MicrosoftActive SetupInstalled Components{B3DB0D62-B481-4929-888B-49F426C1A136}StubPath
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
URI(s):Â /windebug/updcheck.php
The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.
At the time this advisory is released, the variants of the “Backoff’ malware family are largely undetected by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will quickly begin detecting the existing variants. It’s important to maintain upâ€toâ€date AV signatures and engines as new threats such as this are continually being added to your AV solution. Pending AV detection of the malware variants, network defenders can apply indicators of compromise (IOC) to a variety of prevention and detection strategies.[6],[7],[8] IOCs can be found above.
The forensic investigations of compromises of retail IT/payment networks indicate that the network compromises allowed the introduction of memory scraping malware to the payment terminals. Information security professionals recommend a defense in depth approach to mitigating risk to retail payment systems. While some of the risk mitigation recommendations are general in nature, the following strategies provide an approach to minimize the possibility of an attack and mitigate the risk of data compromise:
Remote Desktop Access
Network Security
Cash Register and PoS Security
This product is provided subject to this Notification and this Privacy & Use policy.
Smart cards are increasingly used in workstations as an authentication method. They are mainly used to provide public key operations (e.g., digital signatures) using keys that cannot be exported from the card. They also serve as a data storage, e.g., for the corresponding certificate to the key. In RHEL and Fedora systems low-level access to smart cards is provided using the pcsc-lite daemon, an implementation of the PC/SC protocol, defined by the PC/SC industry consortium. In brief the PC/SC protocol allows the system to execute certain pre-defined commands on the card and obtain the result. The implementation on the pcsc-lite daemon uses a privileged process that handles direct communication with the card (e.g., using the CCID USB protocol), while applications can communicate with the daemon using the SCard API. That API hides, the underneath communication between the application and the pcsc-lite daemon which is based on unix domain sockets.
However, there is a catch. As you may have noticed there is no mention of access control in the communication between applications and the pcsc-lite daemon. That is because it is assumed that the access control included in smart cards, such as PINs, pinpads, and biometrics, would be sufficient to counter most threats. That isn’t always the case. As smart cards typically contain embedded software in the form of firmware there will be bugs that can be exploited by a malicious application, and these bugs even if known they are not easy nor practical to fix. Furthermore, there are often public files (e.g., without the protection of a PIN) present on a smart card that while they were intended to be used by the smart card user, it is not always desirable to be accessible by all system users. Even worse, there are certain smart cards that would allow any user of a system to erase all smart card data by re-initializing it. All of these led us to introduce additional access control to smart cards, in par with the access control used for external hard disks. The main idea is to be able to provide fine-grained access control on the system, and specify policies such as “the user on the console should be able to fully access the smart card, but not any other user”. For that we used polkit, a framework used by applications to grant access to privileged operations. The reason of this decision is mainly because polkit has already been successfully used to grant access to external hard disks, and unsurprisingly the access control requirements for smart cards share many similarities with removable devices such as hard disks.
The pcsc-lite access control framework is now part of pcsc-lite 1.8.11 and will be enabled by default in Fedora 21. The advantages that it offers is that it can prevent unauthorized users from issuing commands to smart cards, and prevent unauthorized users from reading, writing or (in some cases) erasing any public data from a smart card. The access control is imposed during the session initialization, thus reducing to minimal any potential overhead. The default policy in Fedora 21 will treat any user on the console as authorized, as physical access to the console implies physical access to the card, but remote users, e.g., via ssh, or system daemons will be treated as unauthorized unless they have administrative rights.
Let’s now see how the smart card access control can be administered. The system-wide policy for pcsc-lite daemon is available at /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy. That file is a polkit XML file that contains the default rules needed to access the daemon. The default policy that will be shipped in Fedora 21 consists of the following.
 <action id="org.debian.pcsc-lite.access_pcsc">    <description>Access to the PC/SC daemon</description>    <message>Authentication is required to access the PC/SC daemon</message>    <defaults>      <allow_any>auth_admin</allow_any>      <allow_inactive>auth_admin</allow_inactive>      <allow_active>yes</allow_active>    </defaults>  </action>  <action id="org.debian.pcsc-lite.access_card">    <description>Access to the smart card</description>    <message>Authentication is required to access the smart card</message>    <defaults>      <allow_any>auth_admin</allow_any>      <allow_inactive>auth_admin</allow_inactive>      <allow_active>yes</allow_active>    </defaults>  </action>
The syntax format is explained in more details in the polkit manual page. The pcsc-lite relevant parts are the action IDs. The action with ID “org.debian.pcsc-lite.access_pcsc” contains the policy in order to access the pcsc-lite daemon and issue commands to it, i.e., access the unix domain socket. The latter action with ID “org.debian.pcsc-lite.access_card” contains the policy to issue commands to smart cards available to the pcsc-lite daemon. That distinction allows for example programs to query the number of readers and cards present, but not issue any commands to them. Under both policies only active (console) processes are allowed to access the pcsc-lite daemon and smart cards, unless they are privileged processes.
Polkit, is quite more flexible though. With it we can provide even more fine-grained access control, e.g., to specific card readers. For example, if we have a web server that utilizes a smart card we can restrict it to use only the smart cards under a given reader. These rules are expressed in Javascript and can be added in a separate file in /usr/share/polkit-1/rules.d/. Let’s now see how the rules for our example would look like.
polkit.addRule(function(action, subject) {
   if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
       subject.user == "apache") {
           return polkit.Result.YES;
   }
});
polkit.addRule(function(action, subject) {
   if (action.id == "org.debian.pcsc-lite.access_card" &&
       action.lookup("reader") == 'name_of_reader' &&
       subject.user == "apache") {
           return polkit.Result.YES;   }
});
Here we add two rules. The first one allows the user “apache”, which is the user the web-server runs under, to access the pcsc-lite daemon. That rule explicitly allows access to the daemon because in our default policy only administrator and console user can access it. The latter rule, it allows the same user to access the smart card reader identified by “name_of_reader”. The name of the reader can be obtained using the commands pcsc_scan or opensc-tool -l.
With these changes to pcsc-lite we manage to provide reasonable default settings for the users of smart cards that apply to most, if not all, typical uses. These default settings increase the overall security of the system, by denying access to the smart card firmware, as well as to data and operations for non-authorized users.
Revision Note: V1.4 (July 29, 2014): Revised advisory to announce that Microsoft no longer plans to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. It remains available as an opt-in feature. See the Advisory FAQ section for more information.
Summary: Microsoft is announcing the availability of an update for all supported releases of Microsoft Windows to change how signatures are verified for binaries signed with the Windows Authenticode signature format. The change is included with Security Bulletin MS13-098, but will only be enabled on an opt-in basis. When enabled, the new default behavior for Windows Authenticode signature verification will no longer allow extraneous information in the WIN_CERTIFICATE structure, and Windows will no longer recognize non-compliant binaries as signed.
Revision Note: V1.1 (July 29, 2014): For MS14-037, added an Exploitability Assessment in the Exploitability Index for CVE-2014-4066. This is an informational change only.
Summary: This bulletin summary lists security bulletins released for July 2014.
Severity Rating: Critical
Revision Note: V1.6 (July 29, 2014): Revised bulletin to announce that Microsoft no longer plans to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. It remains available as an opt-in feature.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.
Severity Rating: Critical
Revision Note: V1.1 (July 29, 2014): Corrected the severity table and vulnerability information to add CVE-2014-4066 as a vulnerability addressed by this update. This is an informational change only. Customers who have already successfully installed the update do not have to take any action.
Summary: This security update resolves one publicly disclosed vulnerability and twenty-four privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Panda Cloud Antivirus, the free cloud antivirus from Panda Security, offers the highest levels of protection according to the two leading industry product tests, those of AV-Comparatives and AV-TEST.
AV-Comparatives confirms a 99.9% detection ratio
During the more than 150,000 ‘real world’ proactive detection tests carried out from March to June this year by the AV-Comparatives independent laboratory, Panda Security’s free anti-malware solution managed to detect and block 99.9% of threats.
This comparative test of over 20 antivirus solutions highlights the great protection capacity of Panda Security’s solution, beating out other free products such as Avast, AVG or Microsoft’s antivirus; or pay solutions including Kaspersky, McAfee and Sophos.
For more details of the AV-Comparatives test, click here.
AV-Comparatives
100% detection ratio, according to AV-TEST
Similarly, in the ‘Real-World Protection’ test carried out by AV-TEST in May and June, Panda Cloud Antivirus also racked up the maximum score, with a 100% detection ratio for the second consecutive month. Out of 23 products tested by the laboratory, only three achieved the maximum detection rate, and one of these was Panda Cloud Antivirus, the free solution from Panda Security.
In addition to these excellent detection results, it’s important to note that Panda Security has scored maximum points in the AV-TEST ‘Monthly Consumer Product Testing’ performance test in June.
For more details of the AV-TEST product tests, click here
AV-TEST
New XMT Smart Engineering engine
The results from both these labs are based on tests carried out on products based on the new XMT (Extreme Malware Terminator) Smart Engineering engine from Panda Security. With XMT, different technologies interact with each other to achieve new levels of efficiency and greater detection and disinfection power to eradicate all threats. The new XMT engine will be included in the new 2015 consumer product line that Panda Security will be presenting in August.
“The best thing is that the platform and engine with which we’re achieving these results are the basis of all our endpoint protection products. Our aim is to continue integrating technologies in the platform to stay in pole position when it comes to detection and provide our users with maximum protection and minimum impact on their systemsâ€, says Luis Corrons, Technical Director of PandaLabs at Panda Security.
Panda Cloud Antivirus 3.0
Panda Security presented Panda Cloud Antivirus version 3.0 last May, after a trial phase during which the product was downloaded more than 30,000 times across 130 countries. The new solution includes, in both the ‘Free’ and ‘Pro’ editions a new more modern and intuitive ‘look and feel’. The solution also delivers improved protection technologies against new threats and attacks that exploit software vulnerabilities and automatically vaccinates USB drives, a feature which is now available to all users of the product, and not just the Pro version, as in the past.
It also includes the highly useful Rescue Kit for dealing with emergencies caused by malware, as well as a more complete process monitor.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2014-0006.9
Synopsis: VMware product updates address OpenSSL
security vulnerabilities
Issue date: 2014-06-10
Updated on: 2014-07-22
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and
CVE-2014-3470
- -----------------------------------------------------------------------
1. Summary
VMware product updates address OpenSSL security vulnerabilities.
2. Relevant Releases
Big Data Extensions prior to 2.0.0
ESXi 5.5 without patch ESXi550-201406401-SG
ESXi 5.1 without patch ESXi510-201406401-SG
ESXi 5.0 without patch ESXi500-201407401-SG
Workstation 10.x prior to 10.0.3
Workstation 9.x prior to 9.0.4
Player 6.x prior to 6.0.3
Player 5.x prior to 5.0.4
Fusion 6.x prior to 6.0.4
Fusion 5.x prior to 5.0.5
Horizon Mirage Edge Gateway prior to 4.4.3
Horizon View prior to 5.3.2
Horizon View 5.3 Feature Pack X prior to Feature Pack 3
Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-
1.5.0.0-1876270.
x86_64.rpm
Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm-
1.8.2.1820-1876338.
x86_64.rpm
Horizon View Clients prior to 3.0
vCD 5.5.x prior to 5.5.1.2
vCD 5.1.x prior to 5.1.3.1
vCenter prior to 5.5u1b
vCenter prior to 5.1 U2a
vCenter prior to 5.0U3a
vCenter Support Assistant prior to 5.5.1.1
vCloud Automation Center prior to 6.0.1.2
vCenter Configuration Manager prior to 5.7.2
vCenter Converter Standalone prior to 5.5.2
Converter Standalone prior to 5.1.1
vCenter Operations Manager prior to 5.8.2
vCenter Operations Manager prior to 5.7.3
vCenter Chargeback Manager 2.6 prior to 2.6.0.1
vCloud Networking and Security prior to 5.5.2.1
vCloud Networking and Security prior to 5.1.4.1
vSphere PowerCLI 5.x
vCSA prior to 5.5u1b
vCSA prior to 5.1u2a
vCSA prior to 5.0u3a
OVF Tool prior to 5.3.2
Update Manager prior to 5.5u1b
VDDK prior to 5.5.2
VDDK prior to 5.1.3
VDDK prior to 5.0.4
NSX for Multi-Hypervisor 4.1.x prior to 4.1.3
NSX for Multi-Hypervisor 4.0.x prior to 4.0.4
NVP 3.0.x prior to 3.2.3
NSX 6.0.x for vSphere prior to 6.0.5
vFabric Web Server 5.x
Pivotal Web Server prior to 5.4.1
vCenter Site Recovery Manager prior to 5.5.1.1
vCenter Site Recovery Manager prior to 5.1.2.1
vCenter Site Recovery Manager prior to 5.0.3.2
vSphere Replication prior to 5.5.1.1
3. Problem Description
a. OpenSSL update for multiple products.
OpenSSL libraries have been updated in multiple products to
versions 0.9.8za and 1.0.1h in order to resolve multiple security
issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2014-0224, CVE-2014-0198,
CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to
these issues. The most important of these issues is
CVE-2014-0224.
CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to
be of moderate severity. Exploitation is highly unlikely or is
mitigated due to the application configuration.
CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL
Security Advisory (see Reference section below), do not affect
any VMware products.
CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server
is running a vulnerable version of OpenSSL 1.0.1 and clients are
running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating
the server will mitigate this issue for both the server and all
affected clients.
CVE-2014-0224 may affect products differently depending on
whether the product is acting as a client or a server and of
which version of OpenSSL the product is using. For readability
the affected products have been split into 3 tables below,
based on the different client-server configurations and
deployment scenarios.
MITIGATIONS
Clients that communicate with a patched or non-vulnerable server
are not vulnerable to CVE-2014-0224. Applying these patches to
affected servers will mitigate the affected clients (See Table 1
below).
Clients that communicate over untrusted networks such as public
Wi-Fi and communicate to a server running a vulnerable version of
OpenSSL 1.0.1. can be mitigated by using a secure network such as
VPN (see Table 2 below).
Clients and servers that are deployed on an isolated network are
less exposed to CVE-2014-0224 (see Table 3 below). The affected
products are typically deployed to communicate over the
management network.
RECOMMENDATIONS
VMware recommends customers evaluate and deploy patches for
affected Servers in Table 1 below as these patches become
available. Patching these servers will remove the ability to
exploit the vulnerability described in CVE-2014-0224 on both
clients and servers.
VMware recommends customers consider
applying patches to products listed in Table 2 & 3 as required.
Column 4 of the following tables lists the action required to
remediate the vulnerability in each release, if a solution is
available.
Table 1
=======
Affected servers running a vulnerable version of OpenSSL 1.0.1.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
ESXi 5.5 ESXi ESXi550-
201406401-SG
Big Data Extensions 1.1 2.0.0
vCenter Chargeback Manager 2.6 2.6.0.1
Horizon Workspace Server 1.5.x horizon-nginx-
rpm-1.5.0.0-
1876270.
x86_64.rpm
Horizon Workspace Server 1.8.x horizon-nginx-
rpm-1.8.2.1820-
1876338.
x86_64.rpm
Horizon Mirage Edge Gateway 4.4.x 4.4.3
Horizon View 5.x 5.3.2
Horizon View Feature Pack 5.x 5.3 FP3
NSX for Multi-Hypervisor 4.1.2 4.1.3
NSX for Multi-Hypervisor 4.0.3 4.0.4
NSX for vSphere 6.0.4 6.0.5
NVP 3.2.2 3.2.3
vCloud Networking and Security 5.5.2 5.5.2.1
vCloud Networking and Security 5.1.4 5.1.4.1
Pivotal Web Server 5.4 5.4.1
vFabric Web Server 5.x Pivotal Web
Server 5.4.1
Table 2
========
Affected clients running a vulnerable version of OpenSSL 0.9.8
or 1.0.1 and communicating over an untrusted network.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
vCSA 5.5 5.5u1b
vCSA 5.1 5.1u2a
vCSA 5.0 5.0u3a
ESXi 5.1 ESXi ESXi510-
201406401-SG
ESXi 5.0 ESXi ESXi500-
201407401-SG
Workstation 10.x any 10.0.3
Workstation 9.x any 9.0.4
Fusion 6.x OSX 6.0.4
Fusion 5.x OSX 5.0.5
Player 6.x any 6.0.3
Player 5.x any 5.0.4
vCenter Chargeback Manager 2.5.x 2.6.0.1
Horizon Workspace Client 1.x OSX 1.8.2
Horizon Workspace Client 1.x Windows 1.8.2
Horizon View Client 2.x Android 3.0
Horizon View Client 2.x iOS 3.0
Horizon View Client 2.x OSX 3.0
Horizon View Client 2.x Windows 3.0
Horizon View Client 2.x WinStore 3.0
OVF Tool 3.5.1 3.5.2
OVF Tool 3.0.1 3.5.2
vCenter Operations Manager 5.8.x 5.8.2
vCenter Operations Manager 5.7.x 5.7.3
vCenter Support Assistant 5.5.1 5.5.1.1
vCD 5.5.1.x 5.5.1.2
vCD 5.1.x 5.1.3.1
vCenter Site Recovery Manager 5.5.x 5.5.1.1
vCenter Site Recovery Manager 5.1.x 5.1.2.1
vCenter Site Recovery Manager 5.0.3.x 5.0.3.2
vSphere Client 5.5 Windows 5.5u1b
vSphere Client 5.1 Windows 5.1u2a
vSphere Client 5.0 Windows 5.0u3a
Table 3
=======
The following table lists all affected clients running a
vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating
over a trusted or isolated network.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
vCenter Server 5.5 any 5.5u1b
vCenter Server 5.1 any 5.1u2a
vCenter Server 5.0 any 5.0u3a
Update Manager 5.5 Windows 5.5u1b
vCenter Configuration
Manager (VCM) 5.6 5.7.2
ITBM Standard 1.0.1 patch pending
ITBM Standard 1.0 patch pending
Studio 2.6.0.0 patch pending
Usage Meter 3.3 patch pending
vCenter Converter Standalone 5.5 5.5.2
vCenter Converter Standalone 5.1 5.1.1
vCloud Application Director 6.0.x patch pending
vFabric Application Director 5.2.0 patch pending
vFabric Application Director 5.0.0 patch pending
vCloud Automation Center 6.0.x 6.0.1.2
VIX API 1.12 patch pending
vMA (Management Assistant) 5.1.0.1 patch pending
vSphere PowerCLI 5.x See VMware
KB 2082132
vSphere Data Protection 5.5.6 patch pending
vSphere Data Protection 5.1.11 patch pending
vSphere Replication 5.5.1 5.5.1.1
vSphere Replication 5.6 patch pending
vSphere SDK for Perl 5.5 patch pending
VDDK 5.5.x 5.5.2
VDDK 5.1.x 5.1.3
VDDK 5.0.x 5.0.4
4. Solution
Big Data Extensions 2.0.0
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-bde
ESXi 5.5, 5.1 and 5.0
----------------------------
Download:
https://www.vmware.com/patchmgr/findPatch.portal
Horizon Mirage Edge Gateway 4.4.3
---------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-horizon-mirage
vCD 5.5.1.2
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download/vcloud-director
vCenter Server 5.5u1b, 5.1u2a, 5.0u3a
------------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
vCSA 5.5u1b, 5.1u2a and 5.0u3a
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
Update Manager 5.5u1b
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
VDDK 5.x
----------------------------
Downloads and Documentation:
https://www.vmware.com/support/developer/vddk
vCenter Configuration Manager (VCM) 5
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download_vcm
vCenter Operations Manager 5.8 and 5.7.3
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere-ops-mgr
OVF Tool 3.5.2
--------------
Download:
https://www.vmware.com/support/developer/ovf/
vCenter Converter Standalone 5.5.2
-----------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-converter
Horizon View 5
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/downloadview
Horizon View 5.3 Feature Pack 3
-----------------------------------
Downloads and Documentation:
https://www.vmware.com/go/downloadview
Horizon Workspace Server 1.5 and 1.8.x
----------------------------
Release Notes and download:
http://kb.vmware.com/kb/2082181
Workstation
----------------------
https://www.vmware.com/go/downloadworkstation
Fusion
------------------
https://www.vmware.com/go/downloadfusion
VMware Player
------------------
https://www.vmware.com/go/downloadplayer
vCenter Server 5.1 Update 2a
----------------------------------------------------
Download link:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_1
vCenter Server 5.0 Update 3a
----------------------------------------------------
Download link:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_0
vCloud Networking and Security 5.5.2.1
------------------------------------
Download
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId
=353&rPId=5255
vCloud Networking and Security 5.1.4.1
------------------------------------
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId
=285&rPId=5131
NSX for Multi-Hypervisor, NSX for vSphere and NVP
-------------------------------------------------
Remediation Instructions and Download, available under support:
http://www.vmware.com/products/nsx
vCD 5.5.1.2 and vCD 5.1.3.1
---------------------------
Download link:
https://www.vmware.com/go/download-vcd-ns
VMware vCenter Chargeback Manager
---------------------------------
Download link:
https://www.vmware.com/go/download-chargeback
Converter Standalone 5.1.1
---------------------------
Download link:
https://www.vmware.com/go/download-converter
vCenter Support Assistant
--------------------------
Downloads:
https://www.vmware.com/go/download-vsphere
Pivotal Web Server 5.4.1
------------------------
https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541
&productId=335&rPId=6214
vCloud Automation Center
--------------------------
Downloads:
https://www.vmware.com/go/download-vcac
vCenter Site Recovery Manager 5.5.1.1
-------------------------------------
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081861
vCenter Site Recovery Manager 5.1.2.1
-------------------------------------
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081860
vCenter Site Recovery Manager 5.0.3.2
-------------------------------------
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081859
vSphere Replication 5.5.1.1
---------------------------
Remediation Instructions and Download:
http://kb.vmware.com/kb/2082666
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
https://www.openssl.org/news/secadv_20140605.txt
http://www.gopivotal.com/security/cve-2014-0224
VMware Knowledge Base Article 2082132
http://kb.vmware.com/kb/2082132
- -----------------------------------------------------------------------
6. Change Log
2014-06-10 VMSA-2014-0006
Initial security advisory in conjunction with the release of
ESXi 5.5 updates on 2014-06-10
2014-06-12 VMSA-2014-0006.1
Updated security advisory in conjunction with the release of
Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3,
vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update
Manager 5.5u1b on 2014-06-12
2014-06-17 VMSA-2014-0006.2
Updated security advisory in conjunction with the release of
ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17
2014-06-24 VMSA-2014-0006.3
Updated security advisory in conjunction with the release of
Horizon View 5.3.2, Horizon View 5.3 Feature Pack 3,
vCenter Configuration Manager 5.7.2, vCenter
Converter Standalone 5.5.2, vCenter Operations
Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24
2014-07-01 VMSA-2014-0006.4
Updated security advisory in conjunction with the release of
ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4,
Horizon Workspace Server 1.5.x and 1.8.x updates, vCD
5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a,
vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1,
vCenter Chargeback Manager 2.6.0.1,
vCloud Networking and Security 5.5.2.1 and 5.1.4.1,
NSX for Multi-Hypervisor 4.1.3,
NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and
NSX 6.0.5 for vSphere on 2014-07-01
2014-07-03 VMSA-2014-0006.5
Updated security advisory in conjunction with the release of
Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support
Assistant 5.5.1.1, on 2014-07-03
2014-07-08 VMSA-2014-0006.6
Updated security advisory in conjunction with the release of
vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1
on 2014-07-08
2014-07-10 VMSA-2014-0006.7
Updated security advisory in conjunction with the release of
vCloud Automation Center 6.0.1.2 and vCenter Operations Manager
5.7.3 on 2014-07-10
2014-07-18 VMSA-2014-0006.8
Updated security advisory in conjunction with the release of
patches for vCenter Site Recovery Manager 5.5.1.1 and
vSphere Replication 5.5.1.1 on 2014-07-17
2014-07-22 VMSA-2014-0006.8
Updated security advisory in conjunction with the release of
patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2
on 2014-07-22
- -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8
wj8DBQFTzpZcDEcm8Vbi9kMRAga+AKCzEY/Ut+tN3qGTilKf5KslUPO6aQCfXuRp
/7HxhovpiO8xURBCf/uu8EI=
=YjIJ
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2014-0006.9
Synopsis: VMware product updates address OpenSSL
security vulnerabilities
Issue date: 2014-06-10
Updated on: 2014-07-22
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and
CVE-2014-3470
- -----------------------------------------------------------------------
1. Summary
VMware product updates address OpenSSL security vulnerabilities.
2. Relevant Releases
Big Data Extensions prior to 2.0.0
ESXi 5.5 without patch ESXi550-201406401-SG
ESXi 5.1 without patch ESXi510-201406401-SG
ESXi 5.0 without patch ESXi500-201407401-SG
Workstation 10.x prior to 10.0.3
Workstation 9.x prior to 9.0.4
Player 6.x prior to 6.0.3
Player 5.x prior to 5.0.4
Fusion 6.x prior to 6.0.4
Fusion 5.x prior to 5.0.5
Horizon Mirage Edge Gateway prior to 4.4.3
Horizon View prior to 5.3.2
Horizon View 5.3 Feature Pack X prior to Feature Pack 3
Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-
1.5.0.0-1876270.
x86_64.rpm
Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm-
1.8.2.1820-1876338.
x86_64.rpm
Horizon View Clients prior to 3.0
vCD 5.5.x prior to 5.5.1.2
vCD 5.1.x prior to 5.1.3.1
vCenter prior to 5.5u1b
vCenter prior to 5.1 U2a
vCenter prior to 5.0U3a
vCenter Support Assistant prior to 5.5.1.1
vCloud Automation Center prior to 6.0.1.2
vCenter Configuration Manager prior to 5.7.2
vCenter Converter Standalone prior to 5.5.2
Converter Standalone prior to 5.1.1
vCenter Operations Manager prior to 5.8.2
vCenter Operations Manager prior to 5.7.3
vCenter Chargeback Manager 2.6 prior to 2.6.0.1
vCloud Networking and Security prior to 5.5.2.1
vCloud Networking and Security prior to 5.1.4.1
vSphere PowerCLI 5.x
vCSA prior to 5.5u1b
vCSA prior to 5.1u2a
vCSA prior to 5.0u3a
OVF Tool prior to 5.3.2
Update Manager prior to 5.5u1b
VDDK prior to 5.5.2
VDDK prior to 5.1.3
VDDK prior to 5.0.4
NSX for Multi-Hypervisor 4.1.x prior to 4.1.3
NSX for Multi-Hypervisor 4.0.x prior to 4.0.4
NVP 3.0.x prior to 3.2.3
NSX 6.0.x for vSphere prior to 6.0.5
vFabric Web Server 5.x
Pivotal Web Server prior to 5.4.1
vCenter Site Recovery Manager prior to 5.5.1.1
vCenter Site Recovery Manager prior to 5.1.2.1
vCenter Site Recovery Manager prior to 5.0.3.2
vSphere Replication prior to 5.5.1.1
3. Problem Description
a. OpenSSL update for multiple products.
OpenSSL libraries have been updated in multiple products to
versions 0.9.8za and 1.0.1h in order to resolve multiple security
issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2014-0224, CVE-2014-0198,
CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to
these issues. The most important of these issues is
CVE-2014-0224.
CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to
be of moderate severity. Exploitation is highly unlikely or is
mitigated due to the application configuration.
CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL
Security Advisory (see Reference section below), do not affect
any VMware products.
CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server
is running a vulnerable version of OpenSSL 1.0.1 and clients are
running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating
the server will mitigate this issue for both the server and all
affected clients.
CVE-2014-0224 may affect products differently depending on
whether the product is acting as a client or a server and of
which version of OpenSSL the product is using. For readability
the affected products have been split into 3 tables below,
based on the different client-server configurations and
deployment scenarios.
MITIGATIONS
Clients that communicate with a patched or non-vulnerable server
are not vulnerable to CVE-2014-0224. Applying these patches to
affected servers will mitigate the affected clients (See Table 1
below).
Clients that communicate over untrusted networks such as public
Wi-Fi and communicate to a server running a vulnerable version of
OpenSSL 1.0.1. can be mitigated by using a secure network such as
VPN (see Table 2 below).
Clients and servers that are deployed on an isolated network are
less exposed to CVE-2014-0224 (see Table 3 below). The affected
products are typically deployed to communicate over the
management network.
RECOMMENDATIONS
VMware recommends customers evaluate and deploy patches for
affected Servers in Table 1 below as these patches become
available. Patching these servers will remove the ability to
exploit the vulnerability described in CVE-2014-0224 on both
clients and servers.
VMware recommends customers consider
applying patches to products listed in Table 2 & 3 as required.
Column 4 of the following tables lists the action required to
remediate the vulnerability in each release, if a solution is
available.
Table 1
=======
Affected servers running a vulnerable version of OpenSSL 1.0.1.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
ESXi 5.5 ESXi ESXi550-
201406401-SG
Big Data Extensions 1.1 2.0.0
vCenter Chargeback Manager 2.6 2.6.0.1
Horizon Workspace Server 1.5.x horizon-nginx-
rpm-1.5.0.0-
1876270.
x86_64.rpm
Horizon Workspace Server 1.8.x horizon-nginx-
rpm-1.8.2.1820-
1876338.
x86_64.rpm
Horizon Mirage Edge Gateway 4.4.x 4.4.3
Horizon View 5.x 5.3.2
Horizon View Feature Pack 5.x 5.3 FP3
NSX for Multi-Hypervisor 4.1.2 4.1.3
NSX for Multi-Hypervisor 4.0.3 4.0.4
NSX for vSphere 6.0.4 6.0.5
NVP 3.2.2 3.2.3
vCloud Networking and Security 5.5.2 5.5.2.1
vCloud Networking and Security 5.1.4 5.1.4.1
Pivotal Web Server 5.4 5.4.1
vFabric Web Server 5.x Pivotal Web
Server 5.4.1
Table 2
========
Affected clients running a vulnerable version of OpenSSL 0.9.8
or 1.0.1 and communicating over an untrusted network.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
vCSA 5.5 5.5u1b
vCSA 5.1 5.1u2a
vCSA 5.0 5.0u3a
ESXi 5.1 ESXi ESXi510-
201406401-SG
ESXi 5.0 ESXi ESXi500-
201407401-SG
Workstation 10.x any 10.0.3
Workstation 9.x any 9.0.4
Fusion 6.x OSX 6.0.4
Fusion 5.x OSX 5.0.5
Player 6.x any 6.0.3
Player 5.x any 5.0.4
vCenter Chargeback Manager 2.5.x 2.6.0.1
Horizon Workspace Client 1.x OSX 1.8.2
Horizon Workspace Client 1.x Windows 1.8.2
Horizon View Client 2.x Android 3.0
Horizon View Client 2.x iOS 3.0
Horizon View Client 2.x OSX 3.0
Horizon View Client 2.x Windows 3.0
Horizon View Client 2.x WinStore 3.0
OVF Tool 3.5.1 3.5.2
OVF Tool 3.0.1 3.5.2
vCenter Operations Manager 5.8.x 5.8.2
vCenter Operations Manager 5.7.x 5.7.3
vCenter Support Assistant 5.5.1 5.5.1.1
vCD 5.5.1.x 5.5.1.2
vCD 5.1.x 5.1.3.1
vCenter Site Recovery Manager 5.5.x 5.5.1.1
vCenter Site Recovery Manager 5.1.x 5.1.2.1
vCenter Site Recovery Manager 5.0.3.x 5.0.3.2
vSphere Client 5.5 Windows 5.5u1b
vSphere Client 5.1 Windows 5.1u2a
vSphere Client 5.0 Windows 5.0u3a
Table 3
=======
The following table lists all affected clients running a
vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating
over a trusted or isolated network.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======= ======= =============
vCenter Server 5.5 any 5.5u1b
vCenter Server 5.1 any 5.1u2a
vCenter Server 5.0 any 5.0u3a
Update Manager 5.5 Windows 5.5u1b
vCenter Configuration
Manager (VCM) 5.6 5.7.2
ITBM Standard 1.0.1 patch pending
ITBM Standard 1.0 patch pending
Studio 2.6.0.0 patch pending
Usage Meter 3.3 patch pending
vCenter Converter Standalone 5.5 5.5.2
vCenter Converter Standalone 5.1 5.1.1
vCloud Application Director 6.0.x patch pending
vFabric Application Director 5.2.0 patch pending
vFabric Application Director 5.0.0 patch pending
vCloud Automation Center 6.0.x 6.0.1.2
VIX API 1.12 patch pending
vMA (Management Assistant) 5.1.0.1 patch pending
vSphere PowerCLI 5.x See VMware
KB 2082132
vSphere Data Protection 5.5.6 patch pending
vSphere Data Protection 5.1.11 patch pending
vSphere Replication 5.5.1 5.5.1.1
vSphere Replication 5.6 patch pending
vSphere SDK for Perl 5.5 patch pending
VDDK 5.5.x 5.5.2
VDDK 5.1.x 5.1.3
VDDK 5.0.x 5.0.4
4. Solution
Big Data Extensions 2.0.0
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-bde
ESXi 5.5, 5.1 and 5.0
----------------------------
Download:
https://www.vmware.com/patchmgr/findPatch.portal
Horizon Mirage Edge Gateway 4.4.3
---------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-horizon-mirage
vCD 5.5.1.2
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download/vcloud-director
vCenter Server 5.5u1b, 5.1u2a, 5.0u3a
------------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
vCSA 5.5u1b, 5.1u2a and 5.0u3a
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
Update Manager 5.5u1b
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
VDDK 5.x
----------------------------
Downloads and Documentation:
https://www.vmware.com/support/developer/vddk
vCenter Configuration Manager (VCM) 5
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download_vcm
vCenter Operations Manager 5.8 and 5.7.3
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere-ops-mgr
OVF Tool 3.5.2
--------------
Download:
https://www.vmware.com/support/developer/ovf/
vCenter Converter Standalone 5.5.2
-----------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-converter
Horizon View 5
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/downloadview
Horizon View 5.3 Feature Pack 3
-----------------------------------
Downloads and Documentation:
https://www.vmware.com/go/downloadview
Horizon Workspace Server 1.5 and 1.8.x
----------------------------
Release Notes and download:
http://kb.vmware.com/kb/2082181
Workstation
----------------------
https://www.vmware.com/go/downloadworkstation
Fusion
------------------
https://www.vmware.com/go/downloadfusion
VMware Player
------------------
https://www.vmware.com/go/downloadplayer
vCenter Server 5.1 Update 2a
----------------------------------------------------
Download link:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_1
vCenter Server 5.0 Update 3a
----------------------------------------------------
Download link:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_0
vCloud Networking and Security 5.5.2.1
------------------------------------
Download
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId
=353&rPId=5255
vCloud Networking and Security 5.1.4.1
------------------------------------
Download:
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId
=285&rPId=5131
NSX for Multi-Hypervisor, NSX for vSphere and NVP
-------------------------------------------------
Remediation Instructions and Download, available under support:
http://www.vmware.com/products/nsx
vCD 5.5.1.2 and vCD 5.1.3.1
---------------------------
Download link:
https://www.vmware.com/go/download-vcd-ns
VMware vCenter Chargeback Manager
---------------------------------
Download link:
https://www.vmware.com/go/download-chargeback
Converter Standalone 5.1.1
---------------------------
Download link:
https://www.vmware.com/go/download-converter
vCenter Support Assistant
--------------------------
Downloads:
https://www.vmware.com/go/download-vsphere
Pivotal Web Server 5.4.1
------------------------
https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541
&productId=335&rPId=6214
vCloud Automation Center
--------------------------
Downloads:
https://www.vmware.com/go/download-vcac
vCenter Site Recovery Manager 5.5.1.1
-------------------------------------
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081861
vCenter Site Recovery Manager 5.1.2.1
-------------------------------------
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081860
vCenter Site Recovery Manager 5.0.3.2
-------------------------------------
Remediation Instructions and Download:
http://kb.vmware.com/kb/2081859
vSphere Replication 5.5.1.1
---------------------------
Remediation Instructions and Download:
http://kb.vmware.com/kb/2082666
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
https://www.openssl.org/news/secadv_20140605.txt
http://www.gopivotal.com/security/cve-2014-0224
VMware Knowledge Base Article 2082132
http://kb.vmware.com/kb/2082132
- -----------------------------------------------------------------------
6. Change Log
2014-06-10 VMSA-2014-0006
Initial security advisory in conjunction with the release of
ESXi 5.5 updates on 2014-06-10
2014-06-12 VMSA-2014-0006.1
Updated security advisory in conjunction with the release of
Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3,
vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update
Manager 5.5u1b on 2014-06-12
2014-06-17 VMSA-2014-0006.2
Updated security advisory in conjunction with the release of
ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17
2014-06-24 VMSA-2014-0006.3
Updated security advisory in conjunction with the release of
Horizon View 5.3.2, Horizon View 5.3 Feature Pack 3,
vCenter Configuration Manager 5.7.2, vCenter
Converter Standalone 5.5.2, vCenter Operations
Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24
2014-07-01 VMSA-2014-0006.4
Updated security advisory in conjunction with the release of
ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4,
Horizon Workspace Server 1.5.x and 1.8.x updates, vCD
5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a,
vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1,
vCenter Chargeback Manager 2.6.0.1,
vCloud Networking and Security 5.5.2.1 and 5.1.4.1,
NSX for Multi-Hypervisor 4.1.3,
NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and
NSX 6.0.5 for vSphere on 2014-07-01
2014-07-03 VMSA-2014-0006.5
Updated security advisory in conjunction with the release of
Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support
Assistant 5.5.1.1, on 2014-07-03
2014-07-08 VMSA-2014-0006.6
Updated security advisory in conjunction with the release of
vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1
on 2014-07-08
2014-07-10 VMSA-2014-0006.7
Updated security advisory in conjunction with the release of
vCloud Automation Center 6.0.1.2 and vCenter Operations Manager
5.7.3 on 2014-07-10
2014-07-18 VMSA-2014-0006.8
Updated security advisory in conjunction with the release of
patches for vCenter Site Recovery Manager 5.5.1.1 and
vSphere Replication 5.5.1.1 on 2014-07-17
2014-07-22 VMSA-2014-0006.8
Updated security advisory in conjunction with the release of
patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2
on 2014-07-22
- -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2014 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8
wj8DBQFTzpZcDEcm8Vbi9kMRAga+AKCzEY/Ut+tN3qGTilKf5KslUPO6aQCfXuRp
/7HxhovpiO8xURBCf/uu8EI=
=YjIJ
-----END PGP SIGNATURE-----