Author Archives: Praveen Singh

New VMware Security Advisory VMSA-2018-0022 and Updated Security Advisory VMSA-2018-0019.1

Today, VMware has released the following new and updated security advisories:

VMSA-2018-0022 VMware Workstation and Fusion updates address an out-of-bounds write issue
VMSA-2018-0019.1Horizon 6, 7, Horizon Agent, and Horizon Client for Windows updates address an out-of-bounds read vulnerability

VMSA-2018-0022 documents the remediation of a critical severity out-of-bounds read vulnerability (CVE-2018-6973) in VMware Workstation and Fusion. Successfully exploiting this issue may allow allow a guest to execute code on the host. This issue has been addressed in VMware Workstation 14.1.3 and Fusion 10.1.3.

VMSA-2018-0019.1 was updated to clarify about affected products.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0019 and Updated Security Advisory VMSA-2015-0007.7

Today, VMware has released the following new and updated security advisories:

VMSA-2018-0019Horizon 6, 7, and Horizon Client for Windows updates address an out-of-bounds read vulnerability
VMSA-2015-0007.7 VMware vCenter and ESXi updates address critical security issues

VMSA-2018-0019 documents the remediation of an important severity out-of-bounds read vulnerability (CVE-2018-6970) in Horizon 6, 7, and Horizon Client for Windows. Successfully exploiting this issue may allow a less-privileged user to leak information from a privileged process running on a system where Horizon Connection Server, Horizon Agent or Horizon Client are installed. This issue doesn’t apply to Horizon 6, 7 Agents installed on Linux systems or Horizon Clients installed on non-Windows systems.

VMSA-2015-0007.7 was issued to add the patches for ESXi 6.0, 6.5 and 6.7 that address CVE-2015-5177. Recently, we found that this issue affects ESXi 6.0, 6.5 and 6.7.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0017

Today, VMware has released the following new security advisory:

VMSA-2018-0017VMware Tools update addresses an out-of-bounds read vulnerability

This documents the remediation of an important severity out-of-bounds read vulnerability (CVE-2018-6969) in VMware Tools. Successful exploitation of this issue may lead to information disclosure or may allow attackers to escalate their privileges on the guest VMs. File sharing must be enabled to be able to exploit this issue.

VMware Tools 10.x and prior versions are affected. This issue has been addressed in VMware Tools 10.3.0.

We would like to thank Anurudh for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0014

Today VMware has released the following new security advisory:

VMSA-2018-0014VMware Horizon Client update addresses a privilege escalation vulnerability

This documents the remediation of an important severity local privilege escalation
vulnerability (CVE-2018-6964) in VMware Horizon Client for Linux. Successful exploitation of this issue may allow unprivileged users to escalate their privileges to root on a Linux machine where Horizon Client is installed.

VMware Horizon Client for Linux 4.x and prior versions are affected. This issue has been addressed in VMware Horizon Client for Linux 4.8.0.

We would like to thank Nassim Abbaoui, pentester at OVH, for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0013

Today, VMware has released the following new security advisory:

VMSA-2018-0013VMware Workstation and Fusion updates address signature bypass and multiple denial-of-service vulnerabilities

This documents the remediation of an important severity issue (CVE-2018-6962) in VMware Fusion and moderate severity issues (CVE-2018-6963) in VMware Workstation and Fusion.

Issue (a) CVE-2018-6962 is signature bypass vulnerability which may lead to a local privilege escalation. This issue has been addressed in VMware Fusion 10.1.2.

Issue (b) CVE-2018-6963 is multiple denial-of-service vulnerabilities in the RPC handler. Exploitation of these issues may allow an attacker with limited privileges on the guest machine trigger a denial-of-service of their guest machine. These issue have been addressed in VMware Workstation 14.1.2 and Fusion 10.1.2.

We would like to thank CodeColorist of AntFinancial LightYear Security Labs, Hahna Latonick and Kevin Fujimoto working with Trend Micro’s Zero Day Initiative, and Bruno Botelho (@utxsec) for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0010

Today VMware has released the following new security advisory:

VMSA-2018-0010Horizon DaaS update addresses a broken authentication issue

This documents the remediation of a moderate severity issue (CVE-2018-6960) in VMware Horizon DaaS that may allow an attacker to bypass two-factor authentication. In order to exploit this issue, an attacker must have a legitimate account on Horizon DaaS.

All VMware Horizon DaaS 7.x versions are affected. This issue has been addressed in VMware Horizon DaaS 8.0.0.

We would like to thank Peter Ivezaj, President – Digital Upkeep for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0008

Today, VMware has released the following new security advisory:

VMSA-2018-0008Workstation and Fusion updates address a denial-of-service vulnerability

This documents the remediation of an Important severity denial-of-service vulnerability (CVE-2018-6957) affecting VMware Workstation and Fusion. This issue can be triggered by opening a large number of VNC sessions.  In order for exploitation to be possible, VNC must be manually enabled on Workstation and Fusion.

VMware Workstation 14.1.1 and Fusion 10.1.1 fix this issue. Workaround KB52934 is available for VMware Workstation 12.x and Fusion 8.x.

We would like to thank Lilith Wyatt of Cisco Talos for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA-2018-0007.1 – VMware Virtual Appliance updates address side-channel analysis due to speculative execution

I’d like to apologize for the previous blog post, this was an old draft that was later revised. The following is the message we intended to send:

Greetings from the VMware Security Response Center!

We thought we should post an explanation of today’s changes to VMSA-2018-0007 as we have split the the advisory into 2 sections:

a. This section now covers CVE-2017-5753 (Spectre-1), and CVE-2017-5754 (Meltdown) specifically.

b. This section is now devoted to CVE-2017-5715 (Spectre-2).

The reason we have done this is to clarify which of these issues have been mitigated against currently known variants of the different vulnerabilities. Because Meltdown is considered by some to be the most severe/exploitable of the issues, we did not want to wait for complete Spectre-2 mitigations while Spectre-1/Meltdown fixes were ready to ship. We also understand that some customers may want to delay updating until all mitigations are in place. While we strongly recommend taking updates as soon as they become available, we wanted to be transparent about the fact that more updates are on the way.

VMware appliances listed in this advisory are shipping on either Novell SLES or VMware Photon OS. As a result, the mitigations provided for CVE-2017-5715 (Spectre-2) may vary when first released.

Products will be enumerated in section b. when either of the following requirements are met:

1. IBPB/IBRS is supported.
2. Retpoline is supported.

Because this is an ongoing issue, VMware appliances will continue to accept improved open source mitigations as they are created.

New VMware Security Advisory VMSA-2018-0005

Today, VMware has released the following new security advisory:

VMSA-2018-0005 VMware Workstation, and Fusion updates resolve use-after-free and integer-overflow vulnerabilities

This documents the remediation of Critical and Important severity issues (CVE-2017-4949, and CVE-2017-4950).

Issues (a) CVE-2017-4949 is a use-after-free vulnerability in VMware NAT service which can be exploited when IPv6 mode is enabled. This issue is rated as critical and may allow a guest to execute code on the host.

Issue (b) CVE-2017-4950 is an integer-overflow vulnerability in VMware NAT service which can be exploited when IPv6 mode is enabled. This issue is rated as important and may lead to an out-of-bound read which can then be used to execute code on the host in conjunction with other issues.

IPv6 mode for VMNAT is not enabled by default. VMware Workstation 14.1.1, 12.5.9 and VMware Fusion 10.1.1, 8.5.10 fix these issues.

We would like to thank WenQunWang of Tencent’s Xuanwu LAB for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0003

Today, VMware has released the following new security advisory:

VMSA-2018-0003vRealize Operations for Horizon, vRealize Operations for Published Applications, Workstation, Horizon View Client and Tools updates resolve multiple security vulnerabilities

This documents the remediation of three Important severity issues (CVE-2017-4945, CVE-2017-4946, and CVE-2017-4948).

Issues (a) CVE-2017-4946 is a privilege escalation vulnerability that affects vRealize Operations for Horizon (V4H) and vRealize Operations for Published Applications (V4PA) agents. Successful exploitation of this issue may allow low privileged windows users to escalate their privileges to SYSTEM. Workaround for ‘vROPs plugin for Horizon’ and ‘vROPs for Published applications’ 6.4.0 and 6.5.0 versions are available. Please see VMSA-2018-0003 for more information

Issue (b) CVE-2017-4948 is an out-of-bounds read issue that occurs via Cortado ThinPrint. This issue affects Workstation and Horizon View Client. On Workstation, this issue in conjunction with other bugs may allow a guest to leak information from host or may allow for a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this issue in conjunction with other bugs may allow a View desktop to leak information from host or may allow for a Denial of Service on the Windows OS that runs the Horizon View Client. Workstation 14.1.0 and Horizon View Client for Windows 4.7.0 fix this issue.

Issue (c) CVE-2017-4945 is a guest access control vulnerability and affects Workstation and Fusion. Successful exploitation of this issue may allow program execution via Unity on locked Windows VMs.

We would like to thank Martin Lemay of GoSecure Inc., Yakun Zhang of McAfee, and Tudor Enache of the United Arab Emirates Computer Emergency Response Team (aeCERT) for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.