VMware has released a hefty security update to address flaws in the VMware ESX Server and VirtualCenter. Attackers could exploit the flaws to perform actions with escalated privileges, cause a denial of service or compromise a vulnerable machine.
The Heise Security blog has a decent synopsis of the problems addressed:
“Versions 3.0.1 and 3.0.2 of ESX Server include a buffer overflow in the OpenPegasus CIM Management Server that can be exploited by an attacker to remotely inject code and execute it with root privileges,” Heise said.
The problem resides in the PAMBasicAuthenticator::PAMCallback() function that performs authentication using pluggable authentication modules (PAM). The vendor recommends that users of version 2.5 switch to a bug-fixed version 3.0.1 or higher.
VMware also addressed security holes in the ESX Server service console package, which includes Samba, Perl, OpenSSL and util-linux, as well as some older vulnerabilities in software included with VirtualCenter Management Server 2 and ESX Server 3.0.1 and 3.0.2.