Home > Blogs > VMware Security & Compliance Blog > Tag Archives: Workstation

Tag Archives: Workstation

New VMware Security Advisories VMSA-2017-0018 and VMSA-2017-0019

11/17/2017 – Updated VMSA-2017-0018 to add the DLL hijacking  issue.

Today, we released VMSA-2017-0018 and VMSA-2017-0019.

VMSA-2017-0018 – VMware Workstation, Fusion, and Horizon View Client updates resolve multiple security vulnerabilities

This documents critical, important and moderate severity vulnerabilities affecting VMware Horizon View Client for Windows 4.x, Workstation 12.x and Fusion 8.x.

Issue (a) is a heap-based buffer overflow vulnerability (CVE-2017-4934) which affects VMware Workstation and Fusion and may allow a guest to execute code on the host. This issue has been addressed in VMware Workstation 12.5.8 and Fusion 8.5.9.

Issues (b) and (c) are out-of-bounds read/write vulnerabilities (CVE-2017-4935, CVE-2017-4936 and CVE-2017-4937) in JPEG2000 parser in the TPView.dll. These issues exist due the use of vulnerable Cortado ThinPrint component and impact VMware Horizon View Client for Windows and Workstation. Exploitation is possible only if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. These issues have been addressed in VMware Workstation 12.5.8 and Horizon View Client for Windows 4.6.1.

Issue (d) is a NULL pointer dereference vulnerability (CVE-2017-4938) in guest RPC and affects VMware Workstation and Fusion. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. This issue has been addressed in VMware Workstation 12.5.8 and Fusion 8.5.9.

Issue (e) is a DLL hijacking issue (CVE-2017-4939) that exists due to some DLL files loaded by the application improperly. This issue may allow an attacker to load a DLL file of the attacker’s choosing that could execute arbitrary code. VMware Workstation versions 12.x are affected. Workstation 12.5.8 fixes this issue.

We would like to thank Ke Liu of Tencent’s Xuanwu Lab, Skyer, Björn Ruytenberg, Jun Mao of Tencent PC Manager working with Trend Micro’s Zero Day Initiative and Anonymous working with Trend Micro’s Zero Day Initiative for reporting these issues to us.

VMSA-2017-0019 – NSX for vSphere update addresses NSX Edge Cross-Site Scripting (XSS) issue

This documents a moderate severity cross-site scripting issue (CVE-2017-4929) affecting NSX Edge (6.2.x, and 6.3.x). Successful exploitation of this issue may lead to information disclosure. This issue has been addressed in NSX Edge versions 6.2.9 and 6.3.5.

We would like to thank Jarad Kopf of Deltek and Issam Rabhi for independently reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0015.1

Update: 2017-09-15 Corrected the underlying component  affected from SVGA driver to device.

Today VMware has released the following new security advisory:

VMSA-2017-0015.1VMware ESXi, vCenter Server, Fusion and Workstation updates resolve multiple security vulnerabilities

This documents the remediation of a critical severity issue (CVE-2017-4924) and two moderate severity issues (CVE-2017-4925 and CVE-2017-4926). These issues affect VMware ESXi, VMware Workstation, VMware Fusion and VMware vCenter Server.

Issue (a) CVE-2017-4924 is an out-of-bounds write vulnerability in SVGA device which may allow a guest to execute code on the host. This issue affects ESXi 6.5, Fusion and Workstation. It has been addressed through an ESXi 6.5 patch, and in Fusion 8.5.8 and Workstation 12.5.7. ESXi 6.0 and 5.x are not affected.

Issue (b) CVE-2017-4925 is a NULL pointer dereference vulnerability that occurs when handling guest RPC requests. This may allow attackers with normal user privileges to crash their VMs. ESXi, Fusion and Workstation are affected. Fusion 8.5.4 and Workstation 12.5.3 fix this issue. Please refer to VMSA-2017-0015 for ESXi 6.5, 6.0 and 5.5 patches.

Issue (c) CVE-2017-4926 is a stored XSS in H5 Client and affects only VMware vCenter Server 6.5. An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page. vCenter Server 6.5 U1 fixes this issue.

We would like to thank Nico Golde and Ralf-Philipp Weinmann of Comsecuris UG (haftungsbeschraenkt) working with ZDI, Zhang Haitao, and Thomas Ornetzeder for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0009

Today VMware has released the following new security advisory:

VMSA-2017-0009 – VMware Workstation update addresses multiple security issues

This documents an important severity insecure library loading issue via ALSA sound driver configuration files (CVE-2017-4915) and a moderate severity NULL pointer dereference issue (CVE-2017-4916) affecting Workstation Pro/Player.

All VMware Workstation Pro/Player 12.x are affected.

Successful exploitation of the insecure library loading issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.

The NULL pointer dereference vulnerability exists in the vstor2 driver and may allow host users with normal user privileges to trigger a denial-of-service in a Windows host machine.

Workstation Pro/Player 12.5.6 fixes all these issues.

VMware would like to thank Jann Horn of Google Project Zero and Borja Merino for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0008.2

Update 04/21/2017: Updated security advisory to clarify the Unified Access Gateway and Horizon View affected versions.

Update 04/19/2017: We have corrected the Horizon View Client for Windows version.

Today VMware has released the following new security advisory:

VMSA-2017-0008.2 – VMware Unified Access Gateway, Horizon View and Workstation updates resolve multiple security vulnerabilities

This documents several critical memory corruption vulnerabilities affecting VMware Unified Access Gateway (formerly called Access Point) (8.2.x, 2.7.x and 2.5.x), Horizon View (7.x, 6.x),  and Horizon View Client for Windows (4.x) and Workstation (12.5.x).

Issue (a) is a heap-based buffer overflow vulnerability (CVE-2017-4907) which affects VMware Unified Access Gateway and Horizon View. This issue may be exploited remotely to execute code on the security gateway. VMware Unified Access Gateway 2.9 is not affected. This issue has been addressed in VMware Unified Access Gateway 2.8.1, Horizon View 7.1.0 and 6.2.4.

Issues (b), (c) and (d) are heap-based buffer-overflow, out-of-bounds read/write and integer-overflow vulnerabilities (CVE-2017-4908, CVE-2017-4909, CVE-2017-4910, CVE-2017-4911, CVE-2017-4912, CVE-2017-4913) in JPEG2000 and TrueType Font (TTF) parsers in the TPView.dll. These issues exist due the use of vulnerable Cortado ThinPrint component and impact VMware Horizon View Client for Windows and Workstation. Exploitation is possible only if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. These issues have been addressed in VMware Workstation 12.5.3 and  Horizon View Client for Windows 4.4.0.

We would like to thank Claudio Moletta (redr2e), and Ke Liu of Tencent’s Xuanwu Lab,  Gogil and Giwan Go of STEALIEN working with ZDI for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2017-0005

Today VMware has released the following new security advisory:

VMSA-2017-0005 – VMware Workstation and Fusion updates address out-of-bounds memory access vulnerability

The advisory documents a critical severity out-of-bounds memory access vulnerability (CVE-2017-4901). Exploitation of the issue may allow a guest to execute code on the operating system that runs Workstation or Fusion. ESXi is not affected.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.