In-Reply-To: <Pine.LNX.4.55.0307231606160.25752@mail.securityfocus.com> Description ----------- The following products have a vulnerability that can allow a user of the host system to start an arbitrary program with root privileges. This was previously reported in this advisory: http://www.securityfocus.com/archive/1/330184 This notice announces an additional release that corrects this vulnerability. This release is called: - VMware Workstation 3.2.1 patch 1 Details/Impact -------------- By manipulating the VMware Workstation environment variables, a program such as a shell session with root privileges could be started when a virtual machine is launched. The user would then have full access to the host. VMware strongly urges customers Workstation (for Linux systems) to upgrade as soon as possible. Customers running any version of Workstation (for Windows operating systems) are not subject to this vulnerability. Solution -------- To correct the vulnerability in VMware Workstation 3.2, VMware released the following: - Workstation 3.2.1 patch 1 Details ----------- VMware Workstation customers, if covered under the VMware Workstation Product Upgrade Policy as described at: http://www.vmware.com/vmwarestore/pricing.html are entitled to download and install this updated version from http://www.vmware.com/vmwarestore/newstore/download.jsp?ProductCode=WKST3- LX-ESD This is available today. Upgrade instructions are at http://www.vmware.com/support/ws3/doc/upgrade_ws.html Notes ----- * VMware wishes to thank Paul Szabo of the University of Sydney for alerting us to this vulnerability. His Web page is at: http://www.maths.usyd.edu.au:8000/u/psz/ * VMware has posted a knowledge base article that describes this problem: http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1039
