====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN286
_____________________________________________________________________

DATE                : 21/05/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):Systems running VMware Workstation Pro/Player
                         (Workstation) versions prior to 16.1.2,
                 Horizon Client for Windows versions prior to 5.5.2.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2021-0009.html
_____________________________________________________________________

Low

Advisory ID:    VMSA-2021-0009
CVSSv3 Range:   3.2
Issue Date:     2021-05-20
Updated On:     2021-05-20 (Initial Advisory)
CVE(s):         CVE-2021-21987, CVE-2021-21988, CVE-2021-21989


Synopsis:
VMware Workstation and Horizon Client for Windows updates address
multiple security vulnerabilities (CVE-2021-21987, CVE-2021-21988,
CVE-2021-21989)


1. Impacted Products

    VMware Workstation Pro / Player (Workstation)
    VMware Horizon Client for Windows


2. Introduction

Multiple vulnerabilities in VMware Workstation and Horizon Client for
Windows were privately reported to VMware. Updates and workarounds are
available to remediate these vulnerabilities in affected VMware
products.


3. Multiple out-of-bounds read vulnerabilities via Cortado ThinPrint
(CVE-2021-21987, CVE-2021-21988, CVE-2021-21989)

Description

VMware Workstation and Horizon Client for Windows contain multiple
out-of-bounds read vulnerabilities in the Cortado ThinPrint component.
These issues exist in the TTC and JPEG2000 parsers. VMware has evaluated
the severity of these issues to be in the low severity range with a
CVSSv3 base score of 3.2.

Known Attack Vectors

A malicious actor with access to a virtual machine or remote desktop may
be able to exploit these issues leading to information disclosure from
the TPView process running on the system where Workstation or Horizon
Client for Windows is installed.

Resolution

To remediate CVE-2021-21987 (TTC parser), CVE-2021-21988 (JPEG2000
parser) and CVE-2021-21989 (TTC parser) apply the patches listed in the
'Fixed Version' column of the 'Response Matrix' found below.


Workarounds

None.


Additional Documentation

None.


Notes

Exploitation is only possible if virtual printing has been enabled. This
feature is not enabled by default on Workstation but it is enabled by
default on Horizon Client for Windows.

Acknowledgements

VMware would like to thank Anonymous of Trend Micro's Zero Day
Initiative for reporting these issues (CVE-2021-21987, CVE-2021-21988
and CVE-2021-21989) and Hou JingYi (@hjy79425575) of Qihoo 360 for
reporting CVE-2021-21987 to us.


Response Matrix

Product 	Version 	Running On 	CVE Identifier 	CVSSv3 	Severity 	Fixed
Version 	Workarounds 	Additional Documentation

Horizon Client for Windows   5.x and prior    Windows    CVE-2021-21987,
CVE-2021-21988, CVE-2021-21989    3.2    low    5.5.2    None     None

Workstation    16.x    Any    CVE-2021-21987, CVE-2021-21988,
CVE-2021-21989    3.2    low    16.1.2     None    None


4. References

VMware Workstation Pro 16.1.2
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html



VMware Workstation Player 16.1.2
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html


VMware Horizon Client 5.5.2
https://my.vmware.com/en/web/vmware/downloads/info/slug/desktop_end_user_computing/vmware_horizon_clients/horizon_7_5_0
https://docs.vmware.com/en/VMware-Horizon-Client-for-Windows/5.5.2/rn/horizon-client-windows-552-release-notes.html


TBAMitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21987
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21988
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21989



FIRST CVSSv3 Calculator:

CVE-2021-21987 -
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

CVE-2021-21988 -
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

CVE-2021-21989 -
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N


5. Change Log

2021-05-20 VMSA-2021-0009
Initial security advisory.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce



This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org



E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055


VMware Security Advisories
https://www.vmware.com/security/advisories


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog
https://blogs.vmware.com/security


Twitter
https://twitter.com/VMwareSRC



Copyright 2021 VMware Inc. All rights reserved.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================