Today VMware has released the following new security advisory:
“VMSA-2017-0009 – VMware Workstation update addresses multiple security issues”
This documents an important severity insecure library loading issue via ALSA sound driver configuration files (CVE-2017-4915) and a moderate severity NULL pointer dereference issue (CVE-2017-4916) affecting Workstation Pro/Player.
All VMware Workstation Pro/Player 12.x are affected.
Successful exploitation of the insecure library loading issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.
The NULL pointer dereference vulnerability exists in the vstor2 driver and may allow host users with normal user privileges to trigger a denial-of-service in a Windows host machine.
Workstation Pro/Player 12.5.6 fixes all these issues.
VMware would like to thank Jann Horn of Google Project Zero and Borja Merino for reporting these issues to us.
Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.
Customers should review the security advisories and direct any questions to VMware Support.