Home > Blogs > VMware Security & Compliance Blog > Tag Archives: VMSA

Tag Archives: VMSA

New VMware Security Advisory VMSA-2017-0021

Today VMware has released the following new security advisory:

VMSA-2017-0021VMware ESXi, vCenter Server Appliance, Workstation and Fusion updates address multiple security vulnerabilities

This documents the remediation of four Important severity issues (CVE-2017-4933, CVE-2017-4940, CVE-2017-4941, and CVE-2017-4943). These issues affect VMware ESXi, VMware Workstation, VMware Fusion and VMware vCenter Server Appliance.

Issues (a) CVE-2017-4941 and (b) CVE-2017-4933 are stack overflow and heap overflow vulnerabilities respectively. Successful exploitation of these issues could result in remote code execution in a virtual machine via the authenticated VNC session. These issues affect VMware ESXi, Workstation, and Fusion. In order for exploitation to be possible in ESXi, VNC must be manually enabled in a virtual machine’s .vmx configuration file. In addition, ESXi must be configured to allow VNC traffic through the built-in firewall.

Issue (c) CVE-2017-4940 is a stored cross-site scripting vulnerability and affects the ESXi Host Client. An attacker can exploit this vulnerability by injecting JavaScript, which might get executed when other users access the Host Client. Please refer to VMSA-2017-0021 for ESXi 6.5, 6.0 and 5.5 patches.

Issue (d) CVE-2017-4943 is a privilege escalation vulnerability via the ‘showlog’ plugin in vCenter Server Appliance (vCSA). Successful exploitation of this issue could result in a low privileged user gaining root level privileges over the appliance base OS. This issue affects only vCSA 6.5.

We would like to thank Alain Homewood of Insomnia Security, Lukasz Plonka, Lilith Wyatt and another member of Cisco Talos for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisories VMSA-2017-0018 and VMSA-2017-0019

11/17/2017 – Updated VMSA-2017-0018 to add the DLL hijacking  issue.

Today, we released VMSA-2017-0018 and VMSA-2017-0019.

VMSA-2017-0018 – VMware Workstation, Fusion, and Horizon View Client updates resolve multiple security vulnerabilities

This documents critical, important and moderate severity vulnerabilities affecting VMware Horizon View Client for Windows 4.x, Workstation 12.x and Fusion 8.x.

Issue (a) is a heap-based buffer overflow vulnerability (CVE-2017-4934) which affects VMware Workstation and Fusion and may allow a guest to execute code on the host. This issue has been addressed in VMware Workstation 12.5.8 and Fusion 8.5.9.

Issues (b) and (c) are out-of-bounds read/write vulnerabilities (CVE-2017-4935, CVE-2017-4936 and CVE-2017-4937) in JPEG2000 parser in the TPView.dll. These issues exist due the use of vulnerable Cortado ThinPrint component and impact VMware Horizon View Client for Windows and Workstation. Exploitation is possible only if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. These issues have been addressed in VMware Workstation 12.5.8 and Horizon View Client for Windows 4.6.1.

Issue (d) is a NULL pointer dereference vulnerability (CVE-2017-4938) in guest RPC and affects VMware Workstation and Fusion. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. This issue has been addressed in VMware Workstation 12.5.8 and Fusion 8.5.9.

Issue (e) is a DLL hijacking issue (CVE-2017-4939) that exists due to some DLL files loaded by the application improperly. This issue may allow an attacker to load a DLL file of the attacker’s choosing that could execute arbitrary code. VMware Workstation versions 12.x are affected. Workstation 12.5.8 fixes this issue.

We would like to thank Ke Liu of Tencent’s Xuanwu Lab, Skyer, Björn Ruytenberg, Jun Mao of Tencent PC Manager working with Trend Micro’s Zero Day Initiative and Anonymous working with Trend Micro’s Zero Day Initiative for reporting these issues to us.

VMSA-2017-0019 – NSX for vSphere update addresses NSX Edge Cross-Site Scripting (XSS) issue

This documents a moderate severity cross-site scripting issue (CVE-2017-4929) affecting NSX Edge (6.2.x, and 6.3.x). Successful exploitation of this issue may lead to information disclosure. This issue has been addressed in NSX Edge versions 6.2.9 and 6.3.5.

We would like to thank Jarad Kopf of Deltek and Issam Rabhi for independently reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0015.1

Update: 2017-09-15 Corrected the underlying component  affected from SVGA driver to device.

Today VMware has released the following new security advisory:

VMSA-2017-0015.1VMware ESXi, vCenter Server, Fusion and Workstation updates resolve multiple security vulnerabilities

This documents the remediation of a critical severity issue (CVE-2017-4924) and two moderate severity issues (CVE-2017-4925 and CVE-2017-4926). These issues affect VMware ESXi, VMware Workstation, VMware Fusion and VMware vCenter Server.

Issue (a) CVE-2017-4924 is an out-of-bounds write vulnerability in SVGA device which may allow a guest to execute code on the host. This issue affects ESXi 6.5, Fusion and Workstation. It has been addressed through an ESXi 6.5 patch, and in Fusion 8.5.8 and Workstation 12.5.7. ESXi 6.0 and 5.x are not affected.

Issue (b) CVE-2017-4925 is a NULL pointer dereference vulnerability that occurs when handling guest RPC requests. This may allow attackers with normal user privileges to crash their VMs. ESXi, Fusion and Workstation are affected. Fusion 8.5.4 and Workstation 12.5.3 fix this issue. Please refer to VMSA-2017-0015 for ESXi 6.5, 6.0 and 5.5 patches.

Issue (c) CVE-2017-4926 is a stored XSS in H5 Client and affects only VMware vCenter Server 6.5. An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page. vCenter Server 6.5 U1 fixes this issue.

We would like to thank Nico Golde and Ralf-Philipp Weinmann of Comsecuris UG (haftungsbeschraenkt) working with ZDI, Zhang Haitao, and Thomas Ornetzeder for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0013

Today VMware has released the following new security advisory:

VMSA-2017-0013 – VMware vCenter Server and Tools updates resolve multiple security vulnerabilities”

This documents an insecure library loading issue (CVE-2017-4921) and two information disclosure issues (CVE-2017-4922 and CVE-2017-4923) affecting VMware vCenter 6.5 release line. These issues are of moderate severity.

This also documents a moderate severity local privilege escalation issue (CVE-2015-5191) affecting VMware Tools.

CVE-2017-4921 is an insecure library loading issue that occurs due to the use of ‘LD_LIBRARY_PATH’ variable in an unsafe manner. Successful exploitation of this issue may allow unprivileged host users to load a shared library that may lead to privilege escalation.

CVE-2017-4922 is an information disclosure issue that occurs due to the service startup script using world writable directories as temporary storage for critical information. Successful exploitation of this issue may allow unprivileged host users to access certain critical information when the service gets restarted.

CVE-2017-4923 is also an information disclosure vulnerability. Exploiting this issue may allow an attacker to obtain plaintext credentials when using the vCenter Server Appliance file-based backup feature.

CVE-2015-5191 is a local privilege escalation issue that exists because VMware Tools contains multiple file system races in libDeployPkg.

VMware vCenter Server 6.5 U1 and VMware Tools 10.0.9 and above fix these issues.

We would like to thank Thorsten Tüllmann, researcher at Karlsruhe Institute of Technology, Joe Womack of Expedia, Florian Weimer and Kurt Seifried of Red Hat Product Security for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0011

Today, VMware has released the following new security advisory:

VMSA-2017-0011 – Horizon View Client update addresses a command injection vulnerability”

This documents an important severity command injection vulnerability (CVE-2017-4918) in the service startup script that affects VMware Horizon View Client for Mac (versions 2.x, 3.x and 4.x ).

Successful exploitation of this issue may allow unprivileged users to escalate their privileges to root on the Mac OS X system where the client is installed.

VMware Horizon View Client for Mac 4.5.0 fixes this issue.

We would like to thank Florian Bogner from Kapsch BusinessCom AG for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0008.2

Update 04/21/2017: Updated security advisory to clarify the Unified Access Gateway and Horizon View affected versions.

Update 04/19/2017: We have corrected the Horizon View Client for Windows version.

Today VMware has released the following new security advisory:

VMSA-2017-0008.2 – VMware Unified Access Gateway, Horizon View and Workstation updates resolve multiple security vulnerabilities

This documents several critical memory corruption vulnerabilities affecting VMware Unified Access Gateway (formerly called Access Point) (8.2.x, 2.7.x and 2.5.x), Horizon View (7.x, 6.x),  and Horizon View Client for Windows (4.x) and Workstation (12.5.x).

Issue (a) is a heap-based buffer overflow vulnerability (CVE-2017-4907) which affects VMware Unified Access Gateway and Horizon View. This issue may be exploited remotely to execute code on the security gateway. VMware Unified Access Gateway 2.9 is not affected. This issue has been addressed in VMware Unified Access Gateway 2.8.1, Horizon View 7.1.0 and 6.2.4.

Issues (b), (c) and (d) are heap-based buffer-overflow, out-of-bounds read/write and integer-overflow vulnerabilities (CVE-2017-4908, CVE-2017-4909, CVE-2017-4910, CVE-2017-4911, CVE-2017-4912, CVE-2017-4913) in JPEG2000 and TrueType Font (TTF) parsers in the TPView.dll. These issues exist due the use of vulnerable Cortado ThinPrint component and impact VMware Horizon View Client for Windows and Workstation. Exploitation is possible only if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. These issues have been addressed in VMware Workstation 12.5.3 and  Horizon View Client for Windows 4.4.0.

We would like to thank Claudio Moletta (redr2e), and Ke Liu of Tencent’s Xuanwu Lab,  Gogil and Giwan Go of STEALIEN working with ZDI for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0007

On Tuesday, 4th of April 2017 a remote code-execution issue in the BlazeDS library (CVE-2017-5641) was disclosed in a US-CERT security advisory. We have reviewed the issue and determined that VMware vCenter Server 6.5 and 6.0 are affected due to the use of BlazeDS to process AMF3 messages. VMware vCenter Server 5.5 is not affected.

We have released the following new security advisory which documents the fixes for VMware vCenter Server 6.5 and 6.0 along with the workarounds:

VMSA-2017-0007– VMware vCenter Server update resolves a remote code execution vulnerability via BlazeDS

Successful exploitation of this issue may allow an attacker to execute arbitrary code when deserializing an untrusted Java object. The issue is present in the Customer Experience Improvement Program (CEIP) opt-in UI. The vulnerability will still be present even if a customer has opted out of CEIP. Resolution of this vulnerability requires applying the fixes or the workarounds. We have also investigated this issue against the other VMware products. VMware products which are not listed in the security advisory are not affected.

We would like to thank Markus Wulftange of Code White GmbH for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

New VMware Security Advisory VMSA-2017-0005

Today VMware has released the following new security advisory:

VMSA-2017-0005 – VMware Workstation and Fusion updates address out-of-bounds memory access vulnerability

The advisory documents a critical severity out-of-bounds memory access vulnerability (CVE-2017-4901). Exploitation of the issue may allow a guest to execute code on the operating system that runs Workstation or Fusion. ESXi is not affected.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

New VMware Security Advisory VMSA-2017-0002

Greetings from the VMware Security Response Center !

Today VMware has released the following new security advisory:

VMSA-2017-0002 – Horizon DaaS update addresses an insecure data validation issue”

The advisory documents a moderate severity insecure data validation issue (CVE-2017-4897) in VMware Horizon DaaS. All 6.1.x versions are affected.

This vulnerability can be exploited by tricking DaaS client users into connecting to a malicious server and sharing all their drives and devices. Horizon DaaS 7.0.0 carries a fix for this issue.

VMware would like to thank Ahmad Ashraff of Aura Information Security for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA Improvements

Greetings from the VMware Security Response Center!

We’ve made some minor improvements in our latest VMSA based on community feedback and I thought we should share what these changes are and why we’ve made them.

Added an overall severity to the advisory itself in the header section

This is to better inform you, the customer, of the severity level of the VMSA as a whole. The severity level in this field will always be equal to the highest severity of any individual vulnerability mentioned in the VMSA. For details on our severity classifications, please see our VMware Security Response Policy.

Overhauled the ‘Relevant Releases’ section

We have renamed this section ‘Relevant Products’ and simplified it. Previously we would attempt to enumerate all releases of affected products and list them. We have found this section to be somewhat confusing for our customers. The idea of this section was to provide you with a quick reference to determine if the advisory was applicable to your environment. We have further simplified this to simply list product lines rather than versions. If you have a product from this list in your environment, you should definitely read the rest of the advisory.

Added a severity column to the section “3. Problem Description” tables

It is commonplace that a single vulnerability may affect our different products in various ways. This column will allow us to better describe the severity of an issue as it relates to a specific product.

Added a workaround column to the section “3. Problem Description” tables

This column will be used to point to knowledge base articles which describe workarounds that you can perform immediately to mitigate or remove the possibility of exploitation that the vulnerability presents. Please note, we always recommend upgrading to the product versions listed in the table but we also understand this may take time from a practical standpoint. There will not always be a workaround for every issue, but we will provide them whenever they are possible and functionally feasible.

So those are the improvements we have added to the VMSA. We will not be updating previous VMSAs with this information, but these will persist in all future VMSAs. We hope this will help to simplify and clarify the issues we disclose in these advisories.

Please, drop us a line at security@vmware.com if you have any questions, comments, or suggestions.
————————
Edward Hawkins
Senior Program Manager
VMware Security Response Center
security@vmware.com