==================================================================== CERT-Renater Note d'Information No. 2017/VULN351 _____________________________________________________________________ DATE : 17/11/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware Workstation versions 12.x prior to 12.5.8, VMware Fusion versions 8.x prior to 8.5.9, VMware Horizon View Client versions 4.x prior to 4.6.1. ===================================================================== https://lists.vmware.com/pipermail/security-announce/2017/000390.html _______________________________________________________________ - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2017-0018 Severity: Critical Synopsis: VMware Workstation, Fusion and Horizon View Client updates resolve multiple security vulnerabilities Issue date: 2017-11-16 Updated on: 2017-11-16 (Initial Advisory) CVE number: CVE-2017-4934, CVE-2017-4935, CVE-2017-4936, CVE-2017-4937, CVE-2017-4938 1. Summary VMware Workstation, Fusion and Horizon View Client updates resolve multiple security vulnerabilities 2. Relevant Products VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) 3. Problem Description a. Heap buffer-overflow vulnerability in VMNAT device VMware Workstation and Fusion contain a heap buffer-overflow vulnerability in VMNAT device. This issue may allow a guest to execute code on the host. VMware would like to thank Jun Mao of Tencent PC Manager working with ZDI for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4934 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation Product Version on Severity Apply patch Workaround ============== ======= ======= ======== ============= ========== Workstation 14.x Any N/A Not affected N/A Workstation 12.x Any Critical 12.5.8 None Fusion 10.x OS X N/A Not affected N/A Fusion 8.x OS X Critical 8.5.9 None b. Out-of-bounds write via Cortado ThinPrint VMware Workstation and Horizon View Client contain an out-of-bounds write vulnerability in JPEG2000 parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client. Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View Client. VMware would like to thank Anonymous working with ZDI for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4935 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation Product Version on Severity Apply patch Workaround ============== ======= ======= ======== ============= =========== Horizon View 4.x Windows Critical 4.6.1 None Client for Windows Workstation 14.x Any N/A Not affected N/A Workstation 12.x Windows Critical 12.5.8 None c. Multiple out-of-bounds read issues via Cortado ThinPrint VMware Workstation and Horizon View Client contain multiple out-of-bounds read vulnerabilities in JPEG2000 parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client. Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. VMware would like to thank Ke Liu of Tencent's Xuanwu Lab for reporting these issues to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-4936 (JPEG2000 Issue-1) and CVE-2017-4937 (JPEG2000 Issue-2) to these issues. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation Product Version on Severity Apply patch Workaround ============== ======= ======= ======== ============= =========== Horizon View 4.x Windows Critical 4.6.1 None Client for Windows Workstation 14.x Any N/A Not affected N/A Workstation 12.x Windows Critical 12.5.8 None d. Guest RPC NULL pointer dereference vulnerability VMware Workstation and Fusion contain a guest RPC NULL pointer dereference vulnerability. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. VMware would like to thank Skyer for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4938 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation Product Version on Severity Apply patch Workaround ============== ======= ======= ======== ============= ========== Workstation 14.x Any N/A Not affected N/A Workstation 12.x Any Moderate 12.5.8 None Fusion 10.x OS X N/A Not affected N/A Fusion 8.x OS X Moderate 8.5.9 None 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware Horizon View Client 4.6.1 Downloads and Documentation: https://my.vmware.com/web/vmware/details? downloadGroup=CART18FQ3_WIN_461&productId=578&rPId=18817 VMware Workstation Pro 12.5.8 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://www.vmware.com/support/pubs/ws_pubs.html VMware Workstation Player 12.5.8 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://www.vmware.com/support/pubs/player_pubs.html VMware Fusion Pro / Fusion 8.5.9 Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://www.vmware.com/support/pubs/fusion_pubs.html 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4934 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4935 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4936 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4938 - ------------------------------------------------------------------------ 6. Change log 2017-11-16 VMSA-2017-0018 Initial security advisory in conjunction with the release of VMware Workstation 12.5.8 and Fusion 8.5.9 on 2017-11-16. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2017 VMware Inc. All rights reserved. ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================