Home > Blogs > VMware Security & Compliance Blog > Tag Archives: Security Advisory

Tag Archives: Security Advisory

New VMware Security Advisory VMSA-2017-0015.1

Update: 2017-09-15 Corrected the underlying component  affected from SVGA driver to device.

Today VMware has released the following new security advisory:

VMSA-2017-0015.1VMware ESXi, vCenter Server, Fusion and Workstation updates resolve multiple security vulnerabilities

This documents the remediation of a critical severity issue (CVE-2017-4924) and two moderate severity issues (CVE-2017-4925 and CVE-2017-4926). These issues affect VMware ESXi, VMware Workstation, VMware Fusion and VMware vCenter Server.

Issue (a) CVE-2017-4924 is an out-of-bounds write vulnerability in SVGA device which may allow a guest to execute code on the host. This issue affects ESXi 6.5, Fusion and Workstation. It has been addressed through an ESXi 6.5 patch, and in Fusion 8.5.8 and Workstation 12.5.7. ESXi 6.0 and 5.x are not affected.

Issue (b) CVE-2017-4925 is a NULL pointer dereference vulnerability that occurs when handling guest RPC requests. This may allow attackers with normal user privileges to crash their VMs. ESXi, Fusion and Workstation are affected. Fusion 8.5.4 and Workstation 12.5.3 fix this issue. Please refer to VMSA-2017-0015 for ESXi 6.5, 6.0 and 5.5 patches.

Issue (c) CVE-2017-4926 is a stored XSS in H5 Client and affects only VMware vCenter Server 6.5. An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page. vCenter Server 6.5 U1 fixes this issue.

We would like to thank Nico Golde and Ralf-Philipp Weinmann of Comsecuris UG (haftungsbeschraenkt) working with ZDI, Zhang Haitao, and Thomas Ornetzeder for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0013

Today VMware has released the following new security advisory:

VMSA-2017-0013 – VMware vCenter Server and Tools updates resolve multiple security vulnerabilities”

This documents an insecure library loading issue (CVE-2017-4921) and two information disclosure issues (CVE-2017-4922 and CVE-2017-4923) affecting VMware vCenter 6.5 release line. These issues are of moderate severity.

This also documents a moderate severity local privilege escalation issue (CVE-2015-5191) affecting VMware Tools.

CVE-2017-4921 is an insecure library loading issue that occurs due to the use of ‘LD_LIBRARY_PATH’ variable in an unsafe manner. Successful exploitation of this issue may allow unprivileged host users to load a shared library that may lead to privilege escalation.

CVE-2017-4922 is an information disclosure issue that occurs due to the service startup script using world writable directories as temporary storage for critical information. Successful exploitation of this issue may allow unprivileged host users to access certain critical information when the service gets restarted.

CVE-2017-4923 is also an information disclosure vulnerability. Exploiting this issue may allow an attacker to obtain plaintext credentials when using the vCenter Server Appliance file-based backup feature.

CVE-2015-5191 is a local privilege escalation issue that exists because VMware Tools contains multiple file system races in libDeployPkg.

VMware vCenter Server 6.5 U1 and VMware Tools 10.0.9 and above fix these issues.

We would like to thank Thorsten Tüllmann, researcher at Karlsruhe Institute of Technology, Joe Womack of Expedia, Florian Weimer and Kurt Seifried of Red Hat Product Security for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0010 and Updated Security Advisory VMSA-2016-0024.1

On 6th of June 2017, VMware released the following new and updated security advisories:

VMSA-2017-0010 – vSphere Data Protection (VDP) updates address multiple security issues.

This new security advisory documents two issues.

VDP contains a deserialization issue (CVE-2017-4914). Exploitation of this issue may allow a remote attacker to execute commands on the appliance. VMware would like to thank Tim Roberts, Arthur Chilipweli, and Kelly Correll from NTT Security for reporting this issue to us.

VDP locally stores vCenter Server credentials using reversible encryption (CVE-2017-4917). This issue may allow plaintext credentials to be obtained. VMware would like to thank Marc Ströbel aka phroxvs from HvS-Consulting for reporting this issue to VMware.

These issues have been addressed in VDP 6.1.4 and 6.0.5.

VMware has released the following updated security advisory:

VMSA-2016-0024.1 – vSphere Data Protection (VDP) updates address SSH key-based authentication issue

This issue has been addressed in VDP 6.1.4 and 6.0.5.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0009

Today VMware has released the following new security advisory:

VMSA-2017-0009 – VMware Workstation update addresses multiple security issues

This documents an important severity insecure library loading issue via ALSA sound driver configuration files (CVE-2017-4915) and a moderate severity NULL pointer dereference issue (CVE-2017-4916) affecting Workstation Pro/Player.

All VMware Workstation Pro/Player 12.x are affected.

Successful exploitation of the insecure library loading issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.

The NULL pointer dereference vulnerability exists in the vstor2 driver and may allow host users with normal user privileges to trigger a denial-of-service in a Windows host machine.

Workstation Pro/Player 12.5.6 fixes all these issues.

VMware would like to thank Jann Horn of Google Project Zero and Borja Merino for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0002

Greetings from the VMware Security Response Center !

Today VMware has released the following new security advisory:

VMSA-2017-0002 – Horizon DaaS update addresses an insecure data validation issue”

The advisory documents a moderate severity insecure data validation issue (CVE-2017-4897) in VMware Horizon DaaS. All 6.1.x versions are affected.

This vulnerability can be exploited by tricking DaaS client users into connecting to a malicious server and sharing all their drives and devices. Horizon DaaS 7.0.0 carries a fix for this issue.

VMware would like to thank Ahmad Ashraff of Aura Information Security for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Patch Tuesday Overview – February 2013

For this month’s Patch Tuesday Microsoft released 12 bulletins of which five were rated as Critical and seven as Important updates, addressing a total of 57 vulnerabilities across Internet Explorer, .NET Framework, Office, Windows and Exchange Server.

For those who need to prioritize deployments, there are 3 security bulletins that will need to be addressed right away.

MS13-009 addresses 13 issues across all supported versions of Internet Explorer and MS13-010 addresses issues in the Vector Markup Language (VML) which is used by all versions of Internet Explorer. Both of these issues could allow Remote Code Execution if a user viewed a specially crafted webpage using Internet Explorer.

MS13-020 affecting Windows XP resolves an issue in Microsoft Windows Object Linking and Embedding (OLE) Automation which could allow Remote Code Execution if a user opens a malicious RTF file with an embedded ActiveX control in either Word or WordPad.

In addition to the above mentioned bulletins, for the second time in less than a week, both Microsoft and Adobe released Critical-class bulletins (KB2805940 and APSB13-05) to update Flash Players. These updates address at least 16 distinct vulnerabilities including buffer overflow and use-after-free vulnerabilities that could lead to Code Execution.

All the above mentioned bulletins are now available for deployment via VMware vCenter Configuration Manager (VCM).

Aravind Kolipakkam
Sr. Member of Technical Staff, VMware Center for Policy & Compliance