VMSA-2016-0014

VMware ESXi, Workstation, Fusion, and Tools updates address multiple security issues

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
  VMSA-2016-0014
VMware Security Advisory Severity:
  Critical
VMware Security Advisory Synopsis:
  VMware ESXi, Workstation, Fusion, and Tools updates address multiple security issues
VMware Security Advisory Issue date:
  2016-09-13
VMware Security Advisory Updated on:
  2016-09-13 (Initial Advisory)
VMware Security Advisory CVE numbers:
  CVE-2016-7081, CVE-2016-7082, CVE-2016-7083, CVE-2016-7084, CVE-2016-7079, CVE-2016-7080, CVE-2016-7085, CVE-2016-7086
 
1. Summary

VMware ESXi, Workstation, Fusion, and Tools updates address multiple security issues

2. Relevant Products
  • ESXi
  • VMware Workstation Pro
  • VMware Workstation Player
  • VMware Fusion
  • VMware Tools
3. Problem Description

a. VMware Workstation heap-based buffer overflow vulnerabilities via Cortado ThinPrint 

 

VMware Workstation contains vulnerabilities that may allow a Windows-based Virtual Machine (VM) to trigger a heap-based buffer overflow. Exploitation of these issues may lead to arbitrary code execution in VMware Workstation running on Windows.

 

Exploitation is only possible if virtual printing has been enabled in VMware Workstation. This feature is not enabled by default. VMware Knowledge Base article 2146810 documents the procedure for enabling and disabling this feature.

 

VMware would like to thank E0DB6391795D7F629B5077842E649393 working with Trend Micro's Zero Day Initiative for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-7081 to this issue.

 

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

 

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
VMware Product VMware Workstation Pro
Product Version 12.x
Running on Windows
Severity Critical
Replace with/ Apply Patch 12.5.0
Workaround KB2146810
VMware Product VMware Workstation Pro
Product Version 12.x
Running on Linux
Severity N/A
Replace with/ Apply Patch not affected
Workaround N/A
VMware Product VMware Workstation Player
Product Version 12.x
Running on Windows
Severity Critical
Replace with/ Apply Patch 12.5.0
Workaround KB2146810
VMware Product VMware Workstation Player
Product Version 12.x
Running on Linux
Severity N/A
Replace with/ Apply Patch not affected
Workaround N/A

 

b. VMware Workstation memory corruption vulnerabilities via Cortado Thinprint      

 

VMware Workstation contains vulnerabilities that may allow a Windows-based virtual machine (VM) to corrupt memory. This includes improper handling of EMF files (CVE-2016-7082), TrueType fonts embedded in EMFSPOOL (CVE-2016-7083), and JPEG2000 images (CVE-2016-7084) in tpview.dll. Exploitation of these issues may lead to arbitrary code execution in VMware   Workstation running on Windows.

 

Exploitation is only possible if virtual printing has been enabled in VMware Workstation. This feature is not enabled by default. VMware Knowledge Base article 2146810 documents the procedure for enabling and disabling this feature.

 

VMware would like to thank Mateusz Jurczyk of Google's Project Zero for reporting these   issues to us.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the   identifiers CVE-2016-7082, CVE-2016-7083, and CVE-2016-7084 to these issues. 

 

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
VMware Product VMware Workstation Pro
Product Version 12.x
Running on Windows
Severity Critical
Replace with/ Apply Patch 12.5.0
Workaround KB2146810
VMware Product VMware Workstation Pro
Product Version 12.x
Running on Linux
Severity N/A
Replace with/ Apply Patch not affected
Workaround N/A
VMware Product VMware Workstation Player
Product Version 12.x
Running on Windows
Severity Critical
Replace with/ Apply Patch 12.5.0
Workaround KB2146810
VMware Product VMware Workstation Player
Product Version 12.x
Running on Linux
Severity N/A
Replace with/ Apply Patch not affected
Workaround N/A

 

c. VMware Tools NULL pointer dereference vulnerabilities      

 

The graphic acceleration functions used in VMware Tools for OSX handle memory incorrectly. Two resulting NULL pointer dereference vulnerabilities may allow for local privilege escalation on Virtual Machines that run OSX.

 

The issues can be remediated by installing a fixed version of VMware Tools on affected OSX   VMs directly. Alternatively the fixed version of Tools can be installed through ESXi or Fusion after first updating to a version of ESXi or Fusion that ships with a fixed version of VMware Tools.

 

VMware would like to thank Dr. Fabien Duchene "FuzzDragon" and Jian Zhu for independently   reporting these issues to VMware.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the   identifiers CVE-2016-7079 and CVE-2016-7080 to these issues.

 

Column 5 of the following table lists the action required to remediate the vulnerability in   each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
VMware Product VMware Tools
Product Version 10.x, 9.x
Running on Windows
Severity N/A
Replace with/ Apply Patch not affected
Workaround N/A
VMware Product VMware Tools
Product Version 10.x, 9.x
Running on Linux
Severity N/A
Replace with/ Apply Patch not affected
Workaround N/A
VMware Product VMware Tools
Product Version 10.x, 9.x
Running on OSX
Severity Important
Replace with/ Apply Patch 10.0.9*
Workaround None

 

*VMware Tools 10.0.9 can be downloaded independently and is also included in the following:

  • ESXi 6.0 patch ESXi600-201608403-BG
  • ESXi 5.5 patch ESXi550-201608102-SG
  • Fusion 8.5.0

 

d. VMware Workstation installer DLL hijacking issue      

 

Workstation installer contains a DLL hijacking issue that exists due to some DLL files loaded by the application improperly. This issue may allow an attacker to load a DLL file of the attacker's choosing that could execute arbitrary code.

VMware would like to thank Stefan Kanthak, Anand Bhat, and Himanshu Mehta for independantly reporting this issue to us.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-7085 to this issue. 

 

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
VMware Product VMware Workstation Pro
Product Version 12.x
Running on Windows
Severity Important
Replace with/ Apply Patch 12.5.0
Workaround None
VMware Product VMware Workstation Pro
Product Version 12.x
Running on Linux
Severity N/A
Replace with/ Apply Patch not affected
Workaround N/A
VMware Product VMware Workstation Player
Product Version 12.x
Running on Windows
Severity Important
Replace with/ Apply Patch 12.5.0
Workaround None
VMware Product VMware Workstation Player
Product Version 12.x
Running on Linux
Severity N/A
Replace with/ Apply Patch not affected
Workaround N/A

 

e. VMware Workstation installer insecure executable loading vulnerability      

 

Workstation installer contains an insecure executable loading vulnerability that may allow an attacker to execute an exe file placed in the same directory as installer with the name "setup64.exe". Successfully exploiting this issue may allow attackers to execute arbitrary code.

 

VMware would like to thank Adam Bridge for reporting this issue to us.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-7086 to this issue.

 

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
VMware Product VMware Workstation Pro
Product Version 12.x
Running on Windows
Severity Important
Replace with/ Apply Patch 12.5.0
Workaround None
VMware Product VMware Workstation Pro
Product Version 12.x
Running on Linux
Severity N/A
Replace with/ Apply Patch not affected
Workaround N/A
VMware Product VMware Workstation Player
Product Version 12.x
Running on Windows
Severity Important
Replace with/ Apply Patch 12.5.0
Workaround None
VMware Product VMware Workstation Player
Product Version 12.x
Running on Linux
Severity N/A
Replace with/ Apply Patch not affected
Workaround N/A

 

 

4. Solution

 

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

 

VMware ESXi 6.0

Downloads:

https://www.vmware.com/patchmgr/findPatch.portal

Documentation:

https://kb.vmware.com/kb/2145816

 

VMware ESXi 5.5

Downloads:

https://www.vmware.com/patchmgr/findPatch.portal

Documentation:

https://kb.vmware.com/kb/2144370

 

VMware Workstation Pro 12.5.0

Downloads and Documentation:

https://www.vmware.com/go/downloadworkstation

 

VMware Workstation Player 12.5.0

Downloads and Documentation:

https://www.vmware.com/go/downloadplayer

 

VMware Fusion 8.5.0

Downloads and Documentation:

https://www.vmware.com/go/downloadfusion

 

VMware Tools 10.0.9

Downloads and Documentation:

https://my.vmware.com/web/vmware/details?productId=491&downloadGroup=VMTOOLS1009

6. Change log

 

2016-09-13 VMSA-2016-0014 Initial security advisory in conjunction with the release of VMware Workstation 12.5.0 on 2016-09-13.

 

7. Contact

 

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com

bugtraq@securityfocus.com

fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

http://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.htmlTwitterhttps://twitter.com/VMwareSRC

 

Copyright 2016 VMware Inc. All rights reserved.

 

Sign up for Security Advisories

Enter your email address: