Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: November 2016

Monthly Archives: November 2016

VMSA-2016-0021 and VMSA-2016-0022

Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0021 which documents a Moderate severity issue in Vmware Identity Manager (vIDM) tracked by CVE-2016-5334.

This issue is similar to a directory traversal (def: OWASP) but based on our analysis the only data you can access are files in the /SAAS/WEB-INF and /SAAS/META-INF directories. While these directories have not been found to contain sensitive data, reading them directly is unintended and warranted a fix.

In addition, we would like to clarify that vRealize Automation (vRA) is also called out in this advisory because it consumes vIDM as an RPM and required a fix as well.

We also published VMSA-2016-0022 which documents several issues. While most of the items are straight forward, we would like to clarify the following from issue a:

1. vSphere 6.5 does not ship with a vSphere Client (aka. C# or ‘Thick’ Client).
2. To be safe, we recommend first removing and then reinstalling a fixed version of the vSphere Client.
3. Knowledge Base Article 2089791 is a great resource for directly downloading fixed versions of the vSphere Client.

We have classified the severity of the issues as either ‘Important’ or ‘Moderate’ in accordance with our Security Response Policy.

We also updated VMSA-2016-0005.5 and VMSA-2016-0018.3. Please see section ‘6. Change Log’ in the advisories for details.

Please sign up to be notified when new and updated VMSAs are released here.

That’s it for now.

Drop us a line at security@vmware.com if you have any questions on these vulnerabilities or advisories.

New VMware Security Advisory VMSA-2016-0020 and Updated Advisories

Today VMware has released the following new and updated security advisories:
New

VMSA-2016-0020
Updated
VMSA-2016-0016.1
VMSA-2016-0018.1

The new advisory documents a deserialization vulnerability in the vRealize Operation REST API, CVE-2016-7462.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware Workstation target at the PwnFest hacking competition

VMware Workstation is among the targets of the PwnFest hacking competition. At this event, which is organized along the Power of Community security conference in Seoul, security researchers are demonstrating their attack capabilities. The event is modeled after the well-known Pwn2Own competition.

Earlier today at the event, the 360 Marvel Team and security researcher Lokihardt (JungHoon Lee) used the same issue to demonstrate that they could execute code on the VMware Workstation host from the guest. We have received details on this issue directly from the researchers and we are now working on a solution. We have confirmed that the issue is limited to VMware Workstation and VMware Fusion and that ESXi is not affected.

We would like to thank the organizers of the event, the 360 Marvel Team, and Lokihardt for working with us to address the issue.

November 13 update
Today, we’ve published VMware Security Advisory VMSA-2016-0019 which documents the release of VMware Workstation 12.5.2 and VMware Fusion 8.5.2. These new Workstation and Fusion versions address the issue that was demonstrated at the PwnFest event. The issue has been assigned CVE identifier CVE-2016-7461.

VMSA-2016-0018

Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0018 which documents products affected by CVE-2016-5195 – aka: the ‘Dirty COW’ vulnerability. In addition, we have also released Knowledge Base Article 2147515 which documents unaffected products.

There are a few points I’d like to make about our evaluation of this issue and its effect on our products.

We have classified the severity of this issue as ‘Important’ in accordance with our Security Response Policy.

There are 2 requirements that must be met for a product to be considered affected by CVE-2016-5195:

  1. The product must ship with a vulnerable Linux kernel.
  2. There must be a valid attack vector that can be used to exploit the vulnerability.

During our evaluations we found that VMware appliances do indeed ship with a vulnerable Linux kernel and met requirement 1. However, only a select few of these appliances met requirement 2. and are therefore considered affected. These affected products as well as remediation information is documented in VMSA-2016-0018 which will be updated as more fixes become available.

Also, we understand that various automated vulnerability scanners will most likely flag products we have listed as unaffected in KB 2147515 as affected. We want to make it clear that while these products are not affected, we will still be rolling out kernel updates for them in maintenance releases as a precautionary measure.

Please sign up to be notified when new and updated VMSAs are released on the right-side of this page as we will be updating VMSA-2016-0018 over the next few weeks.

That’s it for now.

Drop us a line at security@vmware.com if you have any questions on the vulnerability or advisory.