Home > Blogs > VMware Security & Compliance Blog

VMSA-2016-0021 and VMSA-2016-0022

Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0021 which documents a Moderate severity issue in Vmware Identity Manager (vIDM) tracked by CVE-2016-5334.

This issue is similar to a directory traversal (def: OWASP) but based on our analysis the only data you can access are files in the /SAAS/WEB-INF and /SAAS/META-INF directories. While these directories have not been found to contain sensitive data, reading them directly is unintended and warranted a fix.

In addition, we would like to clarify that vRealize Automation (vRA) is also called out in this advisory because it consumes vIDM as an RPM and required a fix as well.

We also published VMSA-2016-0022 which documents several issues. While most of the items are straight forward, we would like to clarify the following from issue a:

1. vSphere 6.5 does not ship with a vSphere Client (aka. C# or ‘Thick’ Client).
2. To be safe, we recommend first removing and then reinstalling a fixed version of the vSphere Client.
3. Knowledge Base Article 2089791 is a great resource for directly downloading fixed versions of the vSphere Client.

We have classified the severity of the issues as either ‘Important’ or ‘Moderate’ in accordance with our Security Response Policy.

We also updated VMSA-2016-0005.5 and VMSA-2016-0018.3. Please see section ‘6. Change Log’ in the advisories for details.

Please sign up to be notified when new and updated VMSAs are released here.

That’s it for now.

Drop us a line at security@vmware.com if you have any questions on these vulnerabilities or advisories.

New VMware Security Advisory VMSA-2016-0020 and Updated Advisories

Today VMware has released the following new and updated security advisories:
New

VMSA-2016-0020
Updated
VMSA-2016-0016.1
VMSA-2016-0018.1

The new advisory documents a deserialization vulnerability in the vRealize Operation REST API, CVE-2016-7462.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware Workstation target at the PwnFest hacking competition

VMware Workstation is among the targets of the PwnFest hacking competition. At this event, which is organized along the Power of Community security conference in Seoul, security researchers are demonstrating their attack capabilities. The event is modeled after the well-known Pwn2Own competition.

Earlier today at the event, the 360 Marvel Team and security researcher Lokihardt (JungHoon Lee) used the same issue to demonstrate that they could execute code on the VMware Workstation host from the guest. We have received details on this issue directly from the researchers and we are now working on a solution. We have confirmed that the issue is limited to VMware Workstation and VMware Fusion and that ESXi is not affected.

We would like to thank the organizers of the event, the 360 Marvel Team, and Lokihardt for working with us to address the issue.

November 13 update
Today, we’ve published VMware Security Advisory VMSA-2016-0019 which documents the release of VMware Workstation 12.5.2 and VMware Fusion 8.5.2. These new Workstation and Fusion versions address the issue that was demonstrated at the PwnFest event. The issue has been assigned CVE identifier CVE-2016-7461.

VMSA-2016-0018

Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0018 which documents products affected by CVE-2016-5195 – aka: the ‘Dirty COW’ vulnerability. In addition, we have also released Knowledge Base Article 2147515 which documents unaffected products.

There are a few points I’d like to make about our evaluation of this issue and its effect on our products.

We have classified the severity of this issue as ‘Important’ in accordance with our Security Response Policy.

There are 2 requirements that must be met for a product to be considered affected by CVE-2016-5195:

  1. The product must ship with a vulnerable Linux kernel.
  2. There must be a valid attack vector that can be used to exploit the vulnerability.

During our evaluations we found that VMware appliances do indeed ship with a vulnerable Linux kernel and met requirement 1. However, only a select few of these appliances met requirement 2. and are therefore considered affected. These affected products as well as remediation information is documented in VMSA-2016-0018 which will be updated as more fixes become available.

Also, we understand that various automated vulnerability scanners will most likely flag products we have listed as unaffected in KB 2147515 as affected. We want to make it clear that while these products are not affected, we will still be rolling out kernel updates for them in maintenance releases as a precautionary measure.

Please sign up to be notified when new and updated VMSAs are released on the right-side of this page as we will be updating VMSA-2016-0018 over the next few weeks.

That’s it for now.

Drop us a line at security@vmware.com if you have any questions on the vulnerability or advisory.

New VMware Security Advisory VMSA-2016-0017

Today VMware has released the following new security advisory:

VMSA-2016-0017 – VMware product updates address multiple information disclosure issues”

This addresses multiple information disclosure issues (CVE-2016-5328) in VMware Tools (versions 9.x and 10.x) running on Mac OS X VMs and (CVE-2016-5329) in VMware Fusion (versions 8.x).

Successful exploitation of these issues may allow a privileged local user on a system where System Integrity Protection (SIP) is enabled, to obtain kernel memory addresses to bypass the kASLR protection mechanism. SIP is default enabled in the latest versions of Mac OS X.

VMware would like to thank Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware Security Response Center and Certifications @ VMworld Barcelona

¡Visítenos en VMworld in Barcelona!

If you are at VMworld next week, come over to the VMware Security Response and Certification booth at the Solutions Exchange to hear how we keep customers safe. Also, in the same booth we have daily theater presentations on VMware Certifications and VMware Security Response Center.

VMSA-2016-0016

Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0016 which documents CVE-2016-7457 – a Critical severity issue in vRealize Operations (vROps).

Due to the severity of this issue we have released emergency patches to resolve the issue in the latest supported versions of the product. Generally speaking, privilege escalations would normally fall into the Important severity category but there is also the possibility that an attacker could stop and delete VMs unrelated to vROps so we rated this issue as Critical. In addition, the fix is scheduled to be rolled into the next release of vROps.

Thanks to Edgar Carvalho for reporting this issue to us. Edgar runs a blog over at http://vman.ch. Great find!

That’s it for now.

Drop us a line at security@vmware.com if you have any questions on the vulnerability or advisory.

VMware Security Advisory VMSA-2016-0015

Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0015 which documents an Important severity issue in VMware Horizon View.

During internal discussions the most common question I have been asked about CVE-2016-7087 is why the issue has been classified as Important rather than Critical. The reason for this is after thorough investigation, it was determined that information you can pull off of the server doesn’t seem to be particularly sensitive. That being said, this is still unintended behavior of our product and so we strongly recommend updating to fixed versions listed in our VMSA.

We also wanted to mention Mike Arnold (Bruk0ut) working with Trend Micro’s Zero Day Initiative for responsibly disclosing this issue to us. Thanks Mike!

That’s it for this week. Stay tuned.

Drop us a line at security@vmware.com if you have any questions.

Newly Released STIG Validates VMware NSX Meets the Security Hardening Guidance Required for Installment on Department of Defense (DoD) Networks

As the first software-defined networking solution with a published STIG, VMware NSX meets the security hardening guidance required for installment on Department of Defense (DoD) networks. The VMware NSX STIG provides the technical security policies, requirements, and implementation details for applying security concepts to NSX. Agencies within the DoD and other Federal Agencies can now deploy NSX with the STIG guidelines to bring IT agility and security to the data center to help save both time and money.

For more details, see the company press release:

http://www.vmware.com/company/news/releases/vmw-newsfeed.Newly-Released-STIG-Validates-VMware-NSX-Meets-the-Security-Hardening-Guidance-Required-for-Installment-on-Department-of-Defense-%28DoD%29-Networks.2093065.html

VMSA-2016-0014

Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0014 which documents several critical and important severity issues in VMware Workstation and VMware Tools. Below are some more detailed explanations of these issues.

Issues a. and b. are very similar – they are both rated critical, the outcome of exploitation is the same, and they both have a viable workaround. We have reserved CVE-2016-7081, CVE-2016-7082, CVE-2016-7083, and CVE-2016-7084 for these issues. In summary, a Windows-based virtual machine can execute arbitrary code in the VMware Workstation hypervisor it is running on so long as Workstation is also running on Windows. Virtual printing must be enabled for exploitation to be possible and although VMware Workstation for Windows ships with virtual printing disabled by default, we understand that this is a popular feature that many of our customers use. Thanks to Mateusz Jurczyk working with Google’s Project Zero who reported the majority of these issues. In addition we would like to thank the development teams at Cortado for providing fixes for these issues in such a short amount of time.

Issue c. is a privilege escalation by way of two separate NULL pointer dereferences that we have rated as important. We have reserved CVE-2016-7079 and CVE-2016-7080 for these issues. We want to point out that while we list ESXi and Fusion as relevant products this is only because many of our customers prefer to deploy updated VMware Tools via the hypervisor rather than downloading the stand alone version we have made available. Also, please note that this issue only affects Apple OSX-based virtual machines which are only supported in ESXi and Fusion, and that you do not necessarily need to update your hypervisor to resolve these issues – just updating VMware Tools in the OSX guest is sufficient. Thanks to Dr. Fabien Duchene “FuzzDragon” and Jian Zhu who independently reported these issues to us.

Issues d. and e. are similar in severity (both are rated as important), as well as the outcome of exploitation. We reserved CVE-2016-7085 and CVE-2016-7086 for these issues. Issue d. is a dll-hijack which is typically used by attackers to persist on a compromised machine after some kind of exploitation has already occurred, however it can also be used in conjunction with social engineering and/or phishing techniques as an initial means of exploitation. Issue e. has the same attack vectors, but is only exploitable at the time VMware Workstation is installed on a Windows-based OS. Stefan Kanthak, Anand Bhat, and Himanshu Mehta independently reported the dll-hijack to us while Adam Bridge reported the .exe loading issue. Thanks to all!

As always please drop us a line at security@vmware.com if you have any questions or comments.