Greetings from the VMware Security Response Center!
Today we released VMSA-2016-0014 which documents several critical and important severity issues in VMware Workstation and VMware Tools. Below are some more detailed explanations of these issues.
Issues a. and b. are very similar – they are both rated critical, the outcome of exploitation is the same, and they both have a viable workaround. We have reserved CVE-2016-7081, CVE-2016-7082, CVE-2016-7083, and CVE-2016-7084 for these issues. In summary, a Windows-based virtual machine can execute arbitrary code in the VMware Workstation hypervisor it is running on so long as Workstation is also running on Windows. Virtual printing must be enabled for exploitation to be possible and although VMware Workstation for Windows ships with virtual printing disabled by default, we understand that this is a popular feature that many of our customers use. Thanks to Mateusz Jurczyk working with Google’s Project Zero who reported the majority of these issues. In addition we would like to thank the development teams at Cortado for providing fixes for these issues in such a short amount of time.
Issue c. is a privilege escalation by way of two separate NULL pointer dereferences that we have rated as important. We have reserved CVE-2016-7079 and CVE-2016-7080 for these issues. We want to point out that while we list ESXi and Fusion as relevant products this is only because many of our customers prefer to deploy updated VMware Tools via the hypervisor rather than downloading the stand alone version we have made available. Also, please note that this issue only affects Apple OSX-based virtual machines which are only supported in ESXi and Fusion, and that you do not necessarily need to update your hypervisor to resolve these issues – just updating VMware Tools in the OSX guest is sufficient. Thanks to Dr. Fabien Duchene “FuzzDragon” and Jian Zhu who independently reported these issues to us.
Issues d. and e. are similar in severity (both are rated as important), as well as the outcome of exploitation. We reserved CVE-2016-7085 and CVE-2016-7086 for these issues. Issue d. is a dll-hijack which is typically used by attackers to persist on a compromised machine after some kind of exploitation has already occurred, however it can also be used in conjunction with social engineering and/or phishing techniques as an initial means of exploitation. Issue e. has the same attack vectors, but is only exploitable at the time VMware Workstation is installed on a Windows-based OS. Stefan Kanthak, Anand Bhat, and Himanshu Mehta independently reported the dll-hijack to us while Adam Bridge reported the .exe loading issue. Thanks to all!
As always please drop us a line at firstname.lastname@example.org if you have any questions or comments.