Author Archives: Praveen Singh

New VMware Security Advisory VMSA-2018-0013

Today, VMware has released the following new security advisory:

VMSA-2018-0013VMware Workstation and Fusion updates address signature bypass and multiple denial-of-service vulnerabilities

This documents the remediation of an important severity issue (CVE-2018-6962) in VMware Fusion and moderate severity issues (CVE-2018-6963) in VMware Workstation and Fusion.

Issue (a) CVE-2018-6962 is signature bypass vulnerability which may lead to a local privilege escalation. This issue has been addressed in VMware Fusion 10.1.2.

Issue (b) CVE-2018-6963 is multiple denial-of-service vulnerabilities in the RPC handler. Exploitation of these issues may allow an attacker with limited privileges on the guest machine trigger a denial-of-service of their guest machine. These issue have been addressed in VMware Workstation 14.1.2 and Fusion 10.1.2.

We would like to thank CodeColorist of AntFinancial LightYear Security Labs, Hahna Latonick and Kevin Fujimoto working with Trend Micro’s Zero Day Initiative, and Bruno Botelho (@utxsec) for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0010

Today VMware has released the following new security advisory:

VMSA-2018-0010Horizon DaaS update addresses a broken authentication issue

This documents the remediation of a moderate severity issue (CVE-2018-6960) in VMware Horizon DaaS that may allow an attacker to bypass two-factor authentication. In order to exploit this issue, an attacker must have a legitimate account on Horizon DaaS.

All VMware Horizon DaaS 7.x versions are affected. This issue has been addressed in VMware Horizon DaaS 8.0.0.

We would like to thank Peter Ivezaj, President – Digital Upkeep for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0008

Today, VMware has released the following new security advisory:

VMSA-2018-0008Workstation and Fusion updates address a denial-of-service vulnerability

This documents the remediation of an Important severity denial-of-service vulnerability (CVE-2018-6957) affecting VMware Workstation and Fusion. This issue can be triggered by opening a large number of VNC sessions.  In order for exploitation to be possible, VNC must be manually enabled on Workstation and Fusion.

VMware Workstation 14.1.1 and Fusion 10.1.1 fix this issue. Workaround KB52934 is available for VMware Workstation 12.x and Fusion 8.x.

We would like to thank Lilith Wyatt of Cisco Talos for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA-2018-0007.1 – VMware Virtual Appliance updates address side-channel analysis due to speculative execution

I’d like to apologize for the previous blog post, this was an old draft that was later revised. The following is the message we intended to send:

Greetings from the VMware Security Response Center!

We thought we should post an explanation of today’s changes to VMSA-2018-0007 as we have split the the advisory into 2 sections:

a. This section now covers CVE-2017-5753 (Spectre-1), and CVE-2017-5754 (Meltdown) specifically.

b. This section is now devoted to CVE-2017-5715 (Spectre-2).

The reason we have done this is to clarify which of these issues have been mitigated against currently known variants of the different vulnerabilities. Because Meltdown is considered by some to be the most severe/exploitable of the issues, we did not want to wait for complete Spectre-2 mitigations while Spectre-1/Meltdown fixes were ready to ship. We also understand that some customers may want to delay updating until all mitigations are in place. While we strongly recommend taking updates as soon as they become available, we wanted to be transparent about the fact that more updates are on the way.

VMware appliances listed in this advisory are shipping on either Novell SLES or VMware Photon OS. As a result, the mitigations provided for CVE-2017-5715 (Spectre-2) may vary when first released.

Products will be enumerated in section b. when either of the following requirements are met:

1. IBPB/IBRS is supported.
2. Retpoline is supported.

Because this is an ongoing issue, VMware appliances will continue to accept improved open source mitigations as they are created.

New VMware Security Advisory VMSA-2018-0005

Today, VMware has released the following new security advisory:

VMSA-2018-0005 VMware Workstation, and Fusion updates resolve use-after-free and integer-overflow vulnerabilities

This documents the remediation of Critical and Important severity issues (CVE-2017-4949, and CVE-2017-4950).

Issues (a) CVE-2017-4949 is a use-after-free vulnerability in VMware NAT service which can be exploited when IPv6 mode is enabled. This issue is rated as critical and may allow a guest to execute code on the host.

Issue (b) CVE-2017-4950 is an integer-overflow vulnerability in VMware NAT service which can be exploited when IPv6 mode is enabled. This issue is rated as important and may lead to an out-of-bound read which can then be used to execute code on the host in conjunction with other issues.

IPv6 mode for VMNAT is not enabled by default. VMware Workstation 14.1.1, 12.5.9 and VMware Fusion 10.1.1, 8.5.10 fix these issues.

We would like to thank WenQunWang of Tencent’s Xuanwu LAB for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0003

Today, VMware has released the following new security advisory:

VMSA-2018-0003vRealize Operations for Horizon, vRealize Operations for Published Applications, Workstation, Horizon View Client and Tools updates resolve multiple security vulnerabilities

This documents the remediation of three Important severity issues (CVE-2017-4945, CVE-2017-4946, and CVE-2017-4948).

Issues (a) CVE-2017-4946 is a privilege escalation vulnerability that affects vRealize Operations for Horizon (V4H) and vRealize Operations for Published Applications (V4PA) agents. Successful exploitation of this issue may allow low privileged windows users to escalate their privileges to SYSTEM. Workaround for ‘vROPs plugin for Horizon’ and ‘vROPs for Published applications’ 6.4.0 and 6.5.0 versions are available. Please see VMSA-2018-0003 for more information

Issue (b) CVE-2017-4948 is an out-of-bounds read issue that occurs via Cortado ThinPrint. This issue affects Workstation and Horizon View Client. On Workstation, this issue in conjunction with other bugs may allow a guest to leak information from host or may allow for a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this issue in conjunction with other bugs may allow a View desktop to leak information from host or may allow for a Denial of Service on the Windows OS that runs the Horizon View Client. Workstation 14.1.0 and Horizon View Client for Windows 4.7.0 fix this issue.

Issue (c) CVE-2017-4945 is a guest access control vulnerability and affects Workstation and Fusion. Successful exploitation of this issue may allow program execution via Unity on locked Windows VMs.

We would like to thank Martin Lemay of GoSecure Inc., Yakun Zhang of McAfee, and Tudor Enache of the United Arab Emirates Computer Emergency Response Team (aeCERT) for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0021

Today VMware has released the following new security advisory:

VMSA-2017-0021VMware ESXi, vCenter Server Appliance, Workstation and Fusion updates address multiple security vulnerabilities

This documents the remediation of four Important severity issues (CVE-2017-4933, CVE-2017-4940, CVE-2017-4941, and CVE-2017-4943). These issues affect VMware ESXi, VMware Workstation, VMware Fusion and VMware vCenter Server Appliance.

Issues (a) CVE-2017-4941 and (b) CVE-2017-4933 are stack overflow and heap overflow vulnerabilities respectively. Successful exploitation of these issues could result in remote code execution in a virtual machine via the authenticated VNC session. These issues affect VMware ESXi, Workstation, and Fusion. In order for exploitation to be possible in ESXi, VNC must be manually enabled in a virtual machine’s .vmx configuration file. In addition, ESXi must be configured to allow VNC traffic through the built-in firewall.

Issue (c) CVE-2017-4940 is a stored cross-site scripting vulnerability and affects the ESXi Host Client. An attacker can exploit this vulnerability by injecting JavaScript, which might get executed when other users access the Host Client. Please refer to VMSA-2017-0021 for ESXi 6.5, 6.0 and 5.5 patches.

Issue (d) CVE-2017-4943 is a privilege escalation vulnerability via the ‘showlog’ plugin in vCenter Server Appliance (vCSA). Successful exploitation of this issue could result in a low privileged user gaining root level privileges over the appliance base OS. This issue affects only vCSA 6.5.

We would like to thank Alain Homewood of Insomnia Security, Lukasz Plonka, Lilith Wyatt and another member of Cisco Talos for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisories VMSA-2017-0018 and VMSA-2017-0019

11/17/2017 – Updated VMSA-2017-0018 to add the DLL hijacking  issue.

Today, we released VMSA-2017-0018 and VMSA-2017-0019.

VMSA-2017-0018 – VMware Workstation, Fusion, and Horizon View Client updates resolve multiple security vulnerabilities

This documents critical, important and moderate severity vulnerabilities affecting VMware Horizon View Client for Windows 4.x, Workstation 12.x and Fusion 8.x.

Issue (a) is a heap-based buffer overflow vulnerability (CVE-2017-4934) which affects VMware Workstation and Fusion and may allow a guest to execute code on the host. This issue has been addressed in VMware Workstation 12.5.8 and Fusion 8.5.9.

Issues (b) and (c) are out-of-bounds read/write vulnerabilities (CVE-2017-4935, CVE-2017-4936 and CVE-2017-4937) in JPEG2000 parser in the TPView.dll. These issues exist due the use of vulnerable Cortado ThinPrint component and impact VMware Horizon View Client for Windows and Workstation. Exploitation is possible only if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. These issues have been addressed in VMware Workstation 12.5.8 and Horizon View Client for Windows 4.6.1.

Issue (d) is a NULL pointer dereference vulnerability (CVE-2017-4938) in guest RPC and affects VMware Workstation and Fusion. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. This issue has been addressed in VMware Workstation 12.5.8 and Fusion 8.5.9.

Issue (e) is a DLL hijacking issue (CVE-2017-4939) that exists due to some DLL files loaded by the application improperly. This issue may allow an attacker to load a DLL file of the attacker’s choosing that could execute arbitrary code. VMware Workstation versions 12.x are affected. Workstation 12.5.8 fixes this issue.

We would like to thank Ke Liu of Tencent’s Xuanwu Lab, Skyer, Björn Ruytenberg, Jun Mao of Tencent PC Manager working with Trend Micro’s Zero Day Initiative and Anonymous working with Trend Micro’s Zero Day Initiative for reporting these issues to us.

VMSA-2017-0019 – NSX for vSphere update addresses NSX Edge Cross-Site Scripting (XSS) issue

This documents a moderate severity cross-site scripting issue (CVE-2017-4929) affecting NSX Edge (6.2.x, and 6.3.x). Successful exploitation of this issue may lead to information disclosure. This issue has been addressed in NSX Edge versions 6.2.9 and 6.3.5.

We would like to thank Jarad Kopf of Deltek and Issam Rabhi for independently reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0015.1

Update: 2017-09-15 Corrected the underlying component  affected from SVGA driver to device.

Today VMware has released the following new security advisory:

VMSA-2017-0015.1VMware ESXi, vCenter Server, Fusion and Workstation updates resolve multiple security vulnerabilities

This documents the remediation of a critical severity issue (CVE-2017-4924) and two moderate severity issues (CVE-2017-4925 and CVE-2017-4926). These issues affect VMware ESXi, VMware Workstation, VMware Fusion and VMware vCenter Server.

Issue (a) CVE-2017-4924 is an out-of-bounds write vulnerability in SVGA device which may allow a guest to execute code on the host. This issue affects ESXi 6.5, Fusion and Workstation. It has been addressed through an ESXi 6.5 patch, and in Fusion 8.5.8 and Workstation 12.5.7. ESXi 6.0 and 5.x are not affected.

Issue (b) CVE-2017-4925 is a NULL pointer dereference vulnerability that occurs when handling guest RPC requests. This may allow attackers with normal user privileges to crash their VMs. ESXi, Fusion and Workstation are affected. Fusion 8.5.4 and Workstation 12.5.3 fix this issue. Please refer to VMSA-2017-0015 for ESXi 6.5, 6.0 and 5.5 patches.

Issue (c) CVE-2017-4926 is a stored XSS in H5 Client and affects only VMware vCenter Server 6.5. An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page. vCenter Server 6.5 U1 fixes this issue.

We would like to thank Nico Golde and Ralf-Philipp Weinmann of Comsecuris UG (haftungsbeschraenkt) working with ZDI, Zhang Haitao, and Thomas Ornetzeder for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0013

Today VMware has released the following new security advisory:

VMSA-2017-0013 – VMware vCenter Server and Tools updates resolve multiple security vulnerabilities”

This documents an insecure library loading issue (CVE-2017-4921) and two information disclosure issues (CVE-2017-4922 and CVE-2017-4923) affecting VMware vCenter 6.5 release line. These issues are of moderate severity.

This also documents a moderate severity local privilege escalation issue (CVE-2015-5191) affecting VMware Tools.

CVE-2017-4921 is an insecure library loading issue that occurs due to the use of ‘LD_LIBRARY_PATH’ variable in an unsafe manner. Successful exploitation of this issue may allow unprivileged host users to load a shared library that may lead to privilege escalation.

CVE-2017-4922 is an information disclosure issue that occurs due to the service startup script using world writable directories as temporary storage for critical information. Successful exploitation of this issue may allow unprivileged host users to access certain critical information when the service gets restarted.

CVE-2017-4923 is also an information disclosure vulnerability. Exploiting this issue may allow an attacker to obtain plaintext credentials when using the vCenter Server Appliance file-based backup feature.

CVE-2015-5191 is a local privilege escalation issue that exists because VMware Tools contains multiple file system races in libDeployPkg.

VMware vCenter Server 6.5 U1 and VMware Tools 10.0.9 and above fix these issues.

We would like to thank Thorsten Tüllmann, researcher at Karlsruhe Institute of Technology, Joe Womack of Expedia, Florian Weimer and Kurt Seifried of Red Hat Product Security for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.