Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: January 2018

Monthly Archives: January 2018

New VMware Security Advisory VMSA-2018-0005

Today, VMware has released the following new security advisory:

VMSA-2018-0005 VMware Workstation, and Fusion updates resolve use-after-free and integer-overflow vulnerabilities

This documents the remediation of Critical and Important severity issues (CVE-2017-4949, and CVE-2017-4950).

Issues (a) CVE-2017-4949 is a use-after-free vulnerability in VMware NAT service which can be exploited when IPv6 mode is enabled. This issue is rated as critical and may allow a guest to execute code on the host.

Issue (b) CVE-2017-4950 is an integer-overflow vulnerability in VMware NAT service which can be exploited when IPv6 mode is enabled. This issue is rated as important and may lead to an out-of-bound read which can then be used to execute code on the host in conjunction with other issues.

IPv6 mode for VMNAT is not enabled by default. VMware Workstation 14.1.1, 12.5.9 and VMware Fusion 10.1.1, 8.5.10 fix these issues.

We would like to thank WenQunWang of Tencent’s Xuanwu LAB for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0003

Today, VMware has released the following new security advisory:

VMSA-2018-0003vRealize Operations for Horizon, vRealize Operations for Published Applications, Workstation, Horizon View Client and Tools updates resolve multiple security vulnerabilities

This documents the remediation of three Important severity issues (CVE-2017-4945, CVE-2017-4946, and CVE-2017-4948).

Issues (a) CVE-2017-4946 is a privilege escalation vulnerability that affects vRealize Operations for Horizon (V4H) and vRealize Operations for Published Applications (V4PA) agents. Successful exploitation of this issue may allow low privileged windows users to escalate their privileges to SYSTEM. Workaround for ‘vROPs plugin for Horizon’ and ‘vROPs for Published applications’ 6.4.0 and 6.5.0 versions are available. Please see VMSA-2018-0003 for more information

Issue (b) CVE-2017-4948 is an out-of-bounds read issue that occurs via Cortado ThinPrint. This issue affects Workstation and Horizon View Client. On Workstation, this issue in conjunction with other bugs may allow a guest to leak information from host or may allow for a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this issue in conjunction with other bugs may allow a View desktop to leak information from host or may allow for a Denial of Service on the Windows OS that runs the Horizon View Client. Workstation 14.1.0 and Horizon View Client for Windows 4.7.0 fix this issue.

Issue (c) CVE-2017-4945 is a guest access control vulnerability and affects Workstation and Fusion. Successful exploitation of this issue may allow program execution via Unity on locked Windows VMs.

We would like to thank Martin Lemay of GoSecure Inc., Yakun Zhang of McAfee, and Tudor Enache of the United Arab Emirates Computer Emergency Response Team (aeCERT) for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA-2018-0002 and VMSA-2018-0004

Update 01/10/18: VMSA-2018-0004 has been released detailing Hypervisor-Assisted Guest Mitigation fixes. An explanation of the different types of mitigations being provided by VMware can be found in KB52245. Please note that if you have applied the patches listed in VMSA-2018-0004 you do not need the patches listed in VMSA-2018-0002.

Update 01/04/18: OS vendors have begun issuing patches that address CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 for their operating systems. For these patches to be fully functional in a guest OS additional ESXi and vCenter Server updates will be required. These updates are being given the highest priority. Please sign up to the Security-Announce mailing list to be alerted when these updates are available.

Today VMware has released the following new security advisory:

VMSA-2018-0002 – VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.

This advisory documents remediation for known variants of the Bounds-Check Bypass (CVE-2017-5753) and Branch Target Injection (CVE-2017-5715) issues due to speculative execution disclosed today by Google Project Zero. These issues may result in information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host.

A third issue due to speculative execution, Rogue Data Cache Load (CVE-2017-5754), was disclosed along the other two issues. It does not affect ESXi, Workstation, and Fusion because ESXi does not run untrusted user mode code, and Workstation and Fusion rely on the protection that the underlying operating system provides.

The remediation as documented in VMSA-2018-0002, has been present in VMware Cloud on AWS since early December 2017.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

VMSA-2018-0001

New VMware Security Advisory VMSA-2018-0001

On January 2nd 2018 VMware released the following new security advisory:

VMSA-2018-0001 – vSphere Data Protection (VDP) updates address multiple security issues.

This documents several critical severity issues affecting VDP.

Issue (a) is an authenication bypass vulnerability (CVE-2017-15548). A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems.

Issue (b) is an arbitrary file upload vulnerability (CVE-2017-15549). A remote authenticated malicious user with low privileges could potentially upload arbitrary maliciously crafted files in any location on the server file system.

Issue (c) is a path traversal vulnerability (CVE-2017-15550). A remote authenticated malicious user with low privileges could access arbitrary files on the server file system in the context of the running vulnerable application.

These issues have been addressed in VDP 6.1.6 and 6.0.7.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.