Home > Blogs > VMware Security & Compliance Blog

New VMware Security Advisory VMSA-2017-0009

Today VMware has released the following new security advisory:

VMSA-2017-0009 – VMware Workstation update addresses multiple security issues

This documents an important severity insecure library loading issue via ALSA sound driver configuration files (CVE-2017-4915) and a moderate severity NULL pointer dereference issue (CVE-2017-4916) affecting Workstation Pro/Player.

All VMware Workstation Pro/Player 12.x are affected.

Successful exploitation of the insecure library loading issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.

The NULL pointer dereference vulnerability exists in the vstor2 driver and may allow host users with normal user privileges to trigger a denial-of-service in a Windows host machine.

Workstation Pro/Player 12.5.6 fixes all these issues.

VMware would like to thank Jann Horn of Google Project Zero and Borja Merino for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0008.2

Update 04/21/2017: Updated security advisory to clarify the Unified Access Gateway and Horizon View affected versions.

Update 04/19/2017: We have corrected the Horizon View Client for Windows version.

Today VMware has released the following new security advisory:

VMSA-2017-0008.2 – VMware Unified Access Gateway, Horizon View and Workstation updates resolve multiple security vulnerabilities

This documents several critical memory corruption vulnerabilities affecting VMware Unified Access Gateway (formerly called Access Point) (8.2.x, 2.7.x and 2.5.x), Horizon View (7.x, 6.x),  and Horizon View Client for Windows (4.x) and Workstation (12.5.x).

Issue (a) is a heap-based buffer overflow vulnerability (CVE-2017-4907) which affects VMware Unified Access Gateway and Horizon View. This issue may be exploited remotely to execute code on the security gateway. VMware Unified Access Gateway 2.9 is not affected. This issue has been addressed in VMware Unified Access Gateway 2.8.1, Horizon View 7.1.0 and 6.2.4.

Issues (b), (c) and (d) are heap-based buffer-overflow, out-of-bounds read/write and integer-overflow vulnerabilities (CVE-2017-4908, CVE-2017-4909, CVE-2017-4910, CVE-2017-4911, CVE-2017-4912, CVE-2017-4913) in JPEG2000 and TrueType Font (TTF) parsers in the TPView.dll. These issues exist due the use of vulnerable Cortado ThinPrint component and impact VMware Horizon View Client for Windows and Workstation. Exploitation is possible only if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. These issues have been addressed in VMware Workstation 12.5.3 and  Horizon View Client for Windows 4.4.0.

We would like to thank Claudio Moletta (redr2e), and Ke Liu of Tencent’s Xuanwu Lab,  Gogil and Giwan Go of STEALIEN working with ZDI for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0007

On Tuesday, 4th of April 2017 a remote code-execution issue in the BlazeDS library (CVE-2017-5641) was disclosed in a US-CERT security advisory. We have reviewed the issue and determined that VMware vCenter Server 6.5 and 6.0 are affected due to the use of BlazeDS to process AMF3 messages. VMware vCenter Server 5.5 is not affected.

We have released the following new security advisory which documents the fixes for VMware vCenter Server 6.5 and 6.0 along with the workarounds:

VMSA-2017-0007– VMware vCenter Server update resolves a remote code execution vulnerability via BlazeDS

Successful exploitation of this issue may allow an attacker to execute arbitrary code when deserializing an untrusted Java object. The issue is present in the Customer Experience Improvement Program (CEIP) opt-in UI. The vulnerability will still be present even if a customer has opted out of CEIP. Resolution of this vulnerability requires applying the fixes or the workarounds. We have also investigated this issue against the other VMware products. VMware products which are not listed in the security advisory are not affected.

We would like to thank Markus Wulftange of Code White GmbH for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

The Security Landscape: Pwn2Own 2017

During the 2017 Pwn2Own competition at CanSecWest, two teams succeeded in demonstrating arbitrary host code execution on VMware Workstation. Today, VMware is releasing updated versions of VMware vSphere ESXi, VMware Fusion, and VMware Workstation to address these vulnerabilities. VMSA-2017-0006 contains details on impacted versions and the releases which contain fixes.

No active exploitation

VMware is not aware of any active exploitation of the vulnerabilities revealed in this competition. Though the vulnerabilities seem to apply to all VMware virtual platforms (ESXi, Fusion, and Workstation), demonstration exploit code appears to exist only for VMware Workstation for Windows.

The rules of the Pwn2Own competition stipulate that contestants provide their vulnerabilities exclusively to ZDI (the contest organizer), who in turn provides the vulnerability only to the affected company. We appreciate ZDI and the contestant’s commitment to responsible disclosure practices, enabling VMware to release updates before details of the vulnerabilities become known.

Vulnerabilities Found

The following vulnerabilities were identified and analyzed:

  • SVGA I: CVE-2017-4902 critical
    Heap overflow leading to arbitrary code execution
  • SVGA II: CVE-2017-4903 critical
    Uninitialized stack value leading to arbitrary code execution
  • XHCI: CVE-2017-4904 critical
    Uninitialized stack value leading to arbitrary code execution
  • CVE-2017-4905 moderate
    Uninitialized memory read leading to information disclosure

VMware also recommends examining the vSphere Hardening Guide and
vSphere Security Guide. Among the recommendations in the guides is to remove unnecessary virtual hardware. Removing unnecessary virtual hardware increases the complexity of exploitation and can partially mitigate the issues, but cannot be a full mitigation due to the nature of modern graphics functionality. Exercise caution: removing virtual hardware can have adverse effects on functionality or performance, and often requires the virtual machine be powered off for reconfiguration.

Risk Management

The best response is to apply the patches which correct these defects. VMware employs technologies like vMotion and VUM to reduce the disruption of deploying security patches. Further, VMware recognizes that deploying patches does carry operational complexities, and understands that further improving this situation is among our customer’s greatest needs.

One common aspect of all these vulnerabilities is the need to run arbitrary code in the guest to begin the exploit chain. (VMware categorizes guest escapes as “remotely exploitable” only for CVSS scoring purposes, as our security model assumes untrustworthy guests). Normal defensive mechanisms like antivirus and firewalls installed in the guest can prevent an attacker from having the degree of access necessary to attack the hypervisor. Locked-down environments like a production database should already disallow running arbitrary code, and thus mitigate this sort of attack.

Customers should consider the need to update for a full mitigation, the absence of active exploitation, the pace at which updates can safely be deployed, and any other risk mitigations (like IDS applications) which may protect their environments. At this point VMware’s recommendation is that customers expedite updating, though need not take emergency measures like taking environments offline.

Some readers may be interested in a more detailed discussion of VMware’s approach to the security landscape.

Pwn2Own and Hypervisor Security Research

VMware engineers have been attending security conferences on a regular basis for many years. This enables us to respond to any discovered vulnerabilities as quickly as possible, and also allows us to develop a constructive relationship with security researchers from around the world. Our engineers have been in contact with the Qihoo 360 team for quite some time, beginning with last year’s Pwn2Own 2016 competition. This year was our first introduction to the Tencent team.

At CanSecWest 2016, Qihoo 360 presented work on using fuzzers to detect virtual machine escapes. That work was primarily on QEMU-based hypervisors (CVEs disclosed) but also including VMware hypervisors (no vulnerabilities disclosed). For the first time, the Pwn2Own 2016 competition included a hypervisor platform (VMware Workstation running on Microsoft Windows 10) as a target; no teams chose to make an attempt.

At Power Of Community 2016 (Seoul, South Korea) during the PwnFest competition, Qihoo 360 and Lokihardt independently demonstrated the same guest escape for VMware Workstation via drag-and-drop functionality (not included in ESXi). VMware engineers were on hand to receive information about that vulnerability (CVE-2016-7461), leading to the release of VMware Workstation 12.5.2 and VMware Fusion 8.5.2 several days later. Further mitigations and fixes for related bugs were included in the 12.5.3/8.5.4 (VMSA-2017-0003) and 12.5.4/8.5.5 (VMSA-2017-0005) releases.

At CanSecWest 2017, the Qihoo 360 team presented details on how they had found and exploited the drag-and-drop bug several months before at PwnFest. Again VMware engineers were on hand, and communicated with the team before the presentation occurred to discuss what would be covered, and understand what techniques the team used to find and exploit vulnerabilities. The same engineers also received full details and clarifications about the vulnerabilities used in Pwn2Own 2017 directly from the researchers from Qihoo 360 and Tencent.

These connections are important within the security community. The Qihoo 360 and Tencent teams are premier commercial security research teams in this space; as much as they profit (in both reputation and financially) from VMware software, VMware benefits in understanding modern offensive security research techniques and being held accountable to modern security practices. The learning and accountability gained from these events is vital to maintaining the high quality our customers expect from VMware’s flagship hypervisor products.

The security landscape has changed dramatically over the past several years. Whereas twenty years ago it took a single bug to break software, and ten years ago it generally took two bugs (an information leak to break ASLR, and the actual exploit), today’s cutting edge defensive technologies can force an attacker to construct a chain of as many as six bugs to break out of a web browser and its associated sandbox. Modern fuzzers like AFL have become several orders of magnitude more efficient at revealing exploitable bugs. With the principles of responsible disclosure to connect researchers and software authors, the end result is ever-better software.

As an anecdote, a significant number of researchers at the CanSecWest conference used VMware Workstation or VMware Fusion to give live demonstrations of their work (both offensive and defensive). We saw researchers use debuggers to simulate (destructive) exploits, show techniques on multiple operating systems during a single talk, or use a virtual machine to simultaneously run their slides and unsafe (un-patched) software to demonstrate a particular technique. VMware recognizes the responsibility that goes with being an important tool for cutting-edge security research, and the inherent requirements of those security researchers to ensure any malware or vulnerable software they may be researching remains contained within virtual machines. As security knowledge moves forward, so do VMware’s technologies and techniques to keep researchers protected.

The Evolving Security Landscape

A “guest escape” – arbitrary code execution on a virtual machine host – is the worst category of bug for virtualization software (CVSS of 10.0). VMware software has done well over time in defending against malicious software, though this is not the first guest escape demonstrated in VMware’s history (see most notably CVE-2009-1244 “Cloudburst”, which also affected the virtual SVGA device implementation).

The single best defense against this type of security issue is depth. A robust chain of defenses includes using firewalls / network IDS to control access to virtual machines, running anti-virus or other host IDS to block malicious software from running on a virtual machine, and the hypervisor itself to isolate virtual machines from each other. At some point in time, any of these layers may miss something important or have a bug; the goal is to have enough layers that not all can be breached simultaneously.

At VMworld 2016 (Las Vegas and Barcelona), VMware included a session on security risks around “guest escapes”. The message then remains the same as the message now: security risks are both human and technical, and we consistently see the human aspect under-prioritized when the technical aspect becomes newsworthy. Hypervisor arbitrary code execution bugs are still VERY complicated to discover and exploit; they command the highest prizes at competition and only the best-resourced teams have been able to enter the space, though the barrier to entry is lessening. By contrast, our experience has consistently shown that the biggest threat to IT of any kind is misconfiguration and lax operational practices. We should also learn from web browsers: the average user is at greater risk from phishing than from a web browser vulnerability, and the most effective defense is to stay up to date with patches.

VMware’s Software Development Lifecycle applies a similar defense in depth strategy. We use code reviews to get human eyeballs looking for problems, and also deploy static analysis tools, threat modeling, external audits, and testing (including fuzz testing) to minimize the chances of a vulnerability escaping detection.

To characterize the change we are seeing in the security landscape right now, there is a gradual evolution in targets that can be attacked. When VMware models threats, we consider three categories of actor. The “nation-state” actor has vast resources but generally employs them against limited targets; such an actor will find a way to breach security, whether by technical means or something simpler (money, ideology). The “professional” actor has more limited resources, and tends to look for the softest and most profitable target; defending against this actor amounts to staying on or ahead of the security research curve. And the “script kiddie” uses off-the-shelf resources and previously-known issues; defending here generally requires little more than staying up to date, and the biggest risk is installations which fail to deploy existing patches. The Pwn2Own competition shows that the difficulty of hypervisor attacks is moving from the “nation-state” category to the upper end of the “professional” category. This is a trend we have been expecting for a while, as security research tools become more powerful.

As offensive security evolves, so does defensive security. With vSphere 6.5, VMware began deploying sandboxing technology around virtual machines to prevent a single arbitrary code execution from spreading across a host – a technique we have adapted from studying how web browsers and cell phones have evolved to defend against offensive security research. We are proactively disabling or removing legacy features – the loss in compatibility is increasingly outweighed by the reduction in attack surface. And we are investing deeply in ease-of-upgrade, recognizing that prompt security patches do little good if they cannot be deployed to production in time.


Ultimately, our security mindset is to ask “when”, not “if”, a security vulnerability will occur. This means being proactive in looking for vulnerabilities, staying in touch with the security community to be aware of current trends and research, and developing more efficient means to deploy the inevitable fixes as they become ready.

As always, our goal is to provide customers with the tools they need to operate at their most efficient, while retaining the security mechanisms we all depend upon in the modern IT environment.

VMware Workstation target at Pwn2Own 2017

Update March 28 – Release of VMware Security Advisory VMSA-2017-0006
Today VMware released VMSA-2017-0006, which documents the remediation of the critical and moderate issues reported out of the Pwn2Own competition. These issues affect ESXi, VMware Workstation, and VMware Fusion, and may allow a guest to execute code on the host.
VMware recommends that customers expedite updating but that emergency measures like taking environments offline are not called for.
We’ve also published a new blogpost The Security Landscape: Pwn2Own 2017.

Original post
The Pwn2Own competition organized by Trend Micro’s ZDI has just wrapped up at Vancouver. VMware Workstation was a target at this competition.

In total, two teams managed to show that they could execute code on the VMware Workstation host from the guest. We are currently investigating these issues after having received the details from the teams directly. The issues were demonstrated on Workstation and we are investigating impact of them on ESXi and Fusion.

We would like to thank ZDI, Team 360 Security from Qihoo, and Team Sniper from Tencent Security for working with us to address the issues.

New VMware Security Advisory VMSA-2017-0005

Today VMware has released the following new security advisory:

VMSA-2017-0005 – VMware Workstation and Fusion updates address out-of-bounds memory access vulnerability

The advisory documents a critical severity out-of-bounds memory access vulnerability (CVE-2017-4901). Exploitation of the issue may allow a guest to execute code on the operating system that runs Workstation or Fusion. ESXi is not affected.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.


Update 3/17/17: Several revisions of the advisory have been released which provide more workarounds and fixes for our products including DaaS and vROps. Please see the changelog in section 6. for details.

Update 3/14/17: Do not apply the workaround previously provided for vCenter 6.5 as it has been shown to have functional impacts in customer environments. VMSA-2017-0004 will be updated if a viable workaround is confirmed. We have not received reports of problems with the 6.0 workaround.

Greetings from the VMware Security Response Center!

By now I am sure you have all heard about the Apache Struts 2 remote code execution vulnerability identified by CVE-2017-5638 which was disclosed last week. If you haven’t, welcome! You can find the original advisory from Apache here to get yourself caught up. In response, the VMware Security Engineering, Communications, and Response group (vSECR) immediately began investigations into the vulnerability and how it may affect our products. The outcome of these investigations can be found in VMSA-2017-0004.

The product teams are working on getting fixes published as soon as possible. For now, the advisory documents available workarounds that concerned customers can implement today. We also want to clarify that products not listed in this advisory are not affected by CVE-2017-5638. VMSA-2017-0004 will be updated when fixes become available for the listed products.

Please sign up to be notified when the VMSA gets updated with fixes and workarounds here.

That’s it for now.

Drop us a line at security@vmware.com if you have any questions about the advisory.

New VMware Security Advisory VMSA-2017-0003

Today VMware has released the following new security advisory:

VMSA-2017-0003 – VMware Workstation update addresses multiple security issues

The advisory documents an important severity DLL loading issue (CVE-2017-4898) and two moderate severity security issues (CVE-2017-4899  and CVE-2017-4900) in the SVGA driver of VMware Workstation Pro/Player. All versions of Workstation Pro/Player 12.x are affected.

Issue a is DLL hijacking issue that occurs due to the “vmware-vmx” process loading DLLs from a path defined in the local environment-variable and can be exploited to escalate privileges to System by normal users in the host machine where VMware Workstation is installed.
Issue b exists in the SVGA driver and can be triggered only when the host has no graphics card or no graphics drivers are installed. An attacker may exploit this issue to crash the VM or trigger an out-of-bound read.
Issue c is a NULL pointer dereference vulnerability in SVGA driver and may allow attackers with normal user privileges to crash their VMs.
Workstation Pro/Player 12.5.3 fixes all these issues.

VMware would like to thank Ivil, Marco Grassi (@marcograss) of KeenLab (@keen_lab) Tencent and Saar Amar (@AmarSaar) for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

New VMware Security Advisory VMSA-2017-0002

Greetings from the VMware Security Response Center !

Today VMware has released the following new security advisory:

VMSA-2017-0002 – Horizon DaaS update addresses an insecure data validation issue”

The advisory documents a moderate severity insecure data validation issue (CVE-2017-4897) in VMware Horizon DaaS. All 6.1.x versions are affected.

This vulnerability can be exploited by tricking DaaS client users into connecting to a malicious server and sharing all their drives and devices. Horizon DaaS 7.0.0 carries a fix for this issue.

VMware would like to thank Ahmad Ashraff of Aura Information Security for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA-2016-0023 and VMSA-2016-0024

Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0023 and VMSA-2016-0024.

VMSA-2016-0023 – VMware ESXi updates address a cross-site scripting issue

These updates address a stored cross-site scripting vulnerability (CVE-2016-7463) in the ESXi Host Client which we have rated as an Important severity issue. The issue can be introduced by an attacker that has permission to manage virtual machines through ESXi Host Client or by tricking the vSphere administrator to import a specially crafted VM.

Just to clarify, no action is required from organizations who are using ESXi 6.5. Those who are on ESXi 6.0 or 5.5 will need to install the ESXi patches listed in VMSA-2016-0023 to resolve this issue.

In addition to our supported ESXi releases, we also have a ESXi Host Client fling available. Even though flings fall under the Technical Preview License and are not meant to be used in a production environment we have provided a fix for this issue in 1.13.0.

Caleb Watt (@calebwatt15) reported this issue to us – great find Caleb!

VMSA-2016-0024 – vSphere Data Protection (VDP) updates address SSH Key-Based authentication issue

This vulnerability (CVE-2016-7456) is resolved by applying the script found in KB2147069. We have investigated possible workarounds for the issue such as disabling SSH but unfortunately they are not feasible. Because an attacker would need to be able to reach port 22 on the VDP appliance to take advantage of the vulnerability, limiting access to this via perimeter and internal security measures can help to mitigate the issue. However, due to the issue’s Critical severity it is strongly advised that customers using VDP apply the fix for this issue immediately.

Marc Ströbel (aka phroxvs) from HvS-Consulting tipped us off to this issue – thanks Marc!

Please sign up to be notified when new and updated VMSAs are published here.

That’s it for now.

Drop us a line at security@vmware.com if you have any questions on these vulnerabilities or advisories.