Author Archives: Praveen Singh

New VMSA-2018-0025 and Intel Graphics Driver Unified Shader Compiler Security Updates

Today, VMware has released the following new security advisory:

VMSA-2018-0025VMware ESXi, Workstation, and Fusion workarounds address a denial-of-service vulnerability

This documents an important severity denial-of-service vulnerability that affects VMware ESXi, Workstation and Fusion. This issue arises due to an infinite loop in the 3D-rendering shader. Successfully exploiting this issue may allow an attacker with normal user privileges in the guest to make the VM unresponsive, and in some cases, possibly result other VMs on the host or the host itself becoming unresponsive. The issue can only be exploited if 3D-acceleration feature is enabled

3D-acceleration feature is enabled by default on Workstation and Fusion. On ESXi, this feature is not enabled by default and this is also true for Horizon 6 & 7, Horizon DaaS Platform for Service Providers, and VMC on AWS.

Because many graphics API’s and hardware lack pre-emption support, a specially crafted 3D shader may loop for an infinite amount of time and lock up a VM’s virtual graphics device. Such a shader cannot always be validated by VMware hypervisors, since it may be well-formed but still cause problems if designed to run for an extremely long time. In such cases, VMware hypervisors then rely on the host’s graphics driver to ensure that other users of 3D graphics on the host are not impacted by the malicious VM. However, many graphics drivers may themselves get into to a denial-of-service condition caused by such infinite shaders, and as a result other VMs or processes running on the host might also be affected.

There is no patch for this issue, customers must review their risk and apply the workarounds if applicable. We have released workarounds documented in VMSA-2018-0025.

We would like to thank Piotr Bania of Cisco Talos for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Also, we wanted to make you aware that Intel has released a security bulletin entitled “INTEL-SA-00166 – Multiple potential security vulnerabilities in Intel Graphics Drivers may allow escalation of privilege or denial of service . Intel is releasing Intel Graphics Driver updates to mitigate these potential vulnerabilities”.

It documents the remediation of CVE-2018-12152, CVE-2018-12153 and CVE-2018-12154. These issues have been shown to affect VMware Workstation running on Windows. Therefore, we wanted to make sure you are informed of these issues so that they can be appropriately mitigated by the updates that Intel has provided in INTEL-SA-00166.

Customers should review the available documentation and direct technical inquiries to VMware Support for further assistance.

New VMware Security Advisory VMSA-2018-0022 and Updated Security Advisory VMSA-2018-0019.1

Today, VMware has released the following new and updated security advisories:

VMSA-2018-0022 VMware Workstation and Fusion updates address an out-of-bounds write issue
VMSA-2018-0019.1Horizon 6, 7, Horizon Agent, and Horizon Client for Windows updates address an out-of-bounds read vulnerability

VMSA-2018-0022 documents the remediation of a critical severity out-of-bounds read vulnerability (CVE-2018-6973) in VMware Workstation and Fusion. Successfully exploiting this issue may allow allow a guest to execute code on the host. This issue has been addressed in VMware Workstation 14.1.3 and Fusion 10.1.3.

VMSA-2018-0019.1 was updated to clarify about affected products.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0019 and Updated Security Advisory VMSA-2015-0007.7

Today, VMware has released the following new and updated security advisories:

VMSA-2018-0019Horizon 6, 7, and Horizon Client for Windows updates address an out-of-bounds read vulnerability
VMSA-2015-0007.7 VMware vCenter and ESXi updates address critical security issues

VMSA-2018-0019 documents the remediation of an important severity out-of-bounds read vulnerability (CVE-2018-6970) in Horizon 6, 7, and Horizon Client for Windows. Successfully exploiting this issue may allow a less-privileged user to leak information from a privileged process running on a system where Horizon Connection Server, Horizon Agent or Horizon Client are installed. This issue doesn’t apply to Horizon 6, 7 Agents installed on Linux systems or Horizon Clients installed on non-Windows systems.

VMSA-2015-0007.7 was issued to add the patches for ESXi 6.0, 6.5 and 6.7 that address CVE-2015-5177. Recently, we found that this issue affects ESXi 6.0, 6.5 and 6.7.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0017

Today, VMware has released the following new security advisory:

VMSA-2018-0017VMware Tools update addresses an out-of-bounds read vulnerability

This documents the remediation of an important severity out-of-bounds read vulnerability (CVE-2018-6969) in VMware Tools. Successful exploitation of this issue may lead to information disclosure or may allow attackers to escalate their privileges on the guest VMs. File sharing must be enabled to be able to exploit this issue.

VMware Tools 10.x and prior versions are affected. This issue has been addressed in VMware Tools 10.3.0.

We would like to thank Anurudh for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0014

Today VMware has released the following new security advisory:

VMSA-2018-0014VMware Horizon Client update addresses a privilege escalation vulnerability

This documents the remediation of an important severity local privilege escalation
vulnerability (CVE-2018-6964) in VMware Horizon Client for Linux. Successful exploitation of this issue may allow unprivileged users to escalate their privileges to root on a Linux machine where Horizon Client is installed.

VMware Horizon Client for Linux 4.x and prior versions are affected. This issue has been addressed in VMware Horizon Client for Linux 4.8.0.

We would like to thank Nassim Abbaoui, pentester at OVH, for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0013

Today, VMware has released the following new security advisory:

VMSA-2018-0013VMware Workstation and Fusion updates address signature bypass and multiple denial-of-service vulnerabilities

This documents the remediation of an important severity issue (CVE-2018-6962) in VMware Fusion and moderate severity issues (CVE-2018-6963) in VMware Workstation and Fusion.

Issue (a) CVE-2018-6962 is signature bypass vulnerability which may lead to a local privilege escalation. This issue has been addressed in VMware Fusion 10.1.2.

Issue (b) CVE-2018-6963 is multiple denial-of-service vulnerabilities in the RPC handler. Exploitation of these issues may allow an attacker with limited privileges on the guest machine trigger a denial-of-service of their guest machine. These issue have been addressed in VMware Workstation 14.1.2 and Fusion 10.1.2.

We would like to thank CodeColorist of AntFinancial LightYear Security Labs, Hahna Latonick and Kevin Fujimoto working with Trend Micro’s Zero Day Initiative, and Bruno Botelho (@utxsec) for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0010

Today VMware has released the following new security advisory:

VMSA-2018-0010Horizon DaaS update addresses a broken authentication issue

This documents the remediation of a moderate severity issue (CVE-2018-6960) in VMware Horizon DaaS that may allow an attacker to bypass two-factor authentication. In order to exploit this issue, an attacker must have a legitimate account on Horizon DaaS.

All VMware Horizon DaaS 7.x versions are affected. This issue has been addressed in VMware Horizon DaaS 8.0.0.

We would like to thank Peter Ivezaj, President – Digital Upkeep for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0008

Today, VMware has released the following new security advisory:

VMSA-2018-0008Workstation and Fusion updates address a denial-of-service vulnerability

This documents the remediation of an Important severity denial-of-service vulnerability (CVE-2018-6957) affecting VMware Workstation and Fusion. This issue can be triggered by opening a large number of VNC sessions.  In order for exploitation to be possible, VNC must be manually enabled on Workstation and Fusion.

VMware Workstation 14.1.1 and Fusion 10.1.1 fix this issue. Workaround KB52934 is available for VMware Workstation 12.x and Fusion 8.x.

We would like to thank Lilith Wyatt of Cisco Talos for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA-2018-0007.1 – VMware Virtual Appliance updates address side-channel analysis due to speculative execution

I’d like to apologize for the previous blog post, this was an old draft that was later revised. The following is the message we intended to send:

Greetings from the VMware Security Response Center!

We thought we should post an explanation of today’s changes to VMSA-2018-0007 as we have split the the advisory into 2 sections:

a. This section now covers CVE-2017-5753 (Spectre-1), and CVE-2017-5754 (Meltdown) specifically.

b. This section is now devoted to CVE-2017-5715 (Spectre-2).

The reason we have done this is to clarify which of these issues have been mitigated against currently known variants of the different vulnerabilities. Because Meltdown is considered by some to be the most severe/exploitable of the issues, we did not want to wait for complete Spectre-2 mitigations while Spectre-1/Meltdown fixes were ready to ship. We also understand that some customers may want to delay updating until all mitigations are in place. While we strongly recommend taking updates as soon as they become available, we wanted to be transparent about the fact that more updates are on the way.

VMware appliances listed in this advisory are shipping on either Novell SLES or VMware Photon OS. As a result, the mitigations provided for CVE-2017-5715 (Spectre-2) may vary when first released.

Products will be enumerated in section b. when either of the following requirements are met:

1. IBPB/IBRS is supported.
2. Retpoline is supported.

Because this is an ongoing issue, VMware appliances will continue to accept improved open source mitigations as they are created.

New VMware Security Advisory VMSA-2018-0005

Today, VMware has released the following new security advisory:

VMSA-2018-0005 VMware Workstation, and Fusion updates resolve use-after-free and integer-overflow vulnerabilities

This documents the remediation of Critical and Important severity issues (CVE-2017-4949, and CVE-2017-4950).

Issues (a) CVE-2017-4949 is a use-after-free vulnerability in VMware NAT service which can be exploited when IPv6 mode is enabled. This issue is rated as critical and may allow a guest to execute code on the host.

Issue (b) CVE-2017-4950 is an integer-overflow vulnerability in VMware NAT service which can be exploited when IPv6 mode is enabled. This issue is rated as important and may lead to an out-of-bound read which can then be used to execute code on the host in conjunction with other issues.

IPv6 mode for VMNAT is not enabled by default. VMware Workstation 14.1.1, 12.5.9 and VMware Fusion 10.1.1, 8.5.10 fix these issues.

We would like to thank WenQunWang of Tencent’s Xuanwu LAB for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.