VMSA-2017-0018.1
VMware Workstation, Fusion and Horizon View Client updates resolve multiple security vulnerabilities
VMware Security Advisory
1. Summary
VMware Workstation, Fusion and Horizon View Client updates resolve multiple security vulnerabilities
2. Relevant Products
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
3. Problem Description
a. Heap buffer-overflow vulnerability in VMNAT device
VMware Workstation and Fusion contain a heap buffer-overflow vulnerability in VMNAT device. This issue may allow a guest to execute code on the host.
VMware would like to thank Jun Mao of Tencent PC Manager working with Trend Micro's Zero Day Initiative for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4934 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
b. Out-of-bounds write via Cortado ThinPrint
VMware Workstation and Horizon View Client contain an out-of-bounds write vulnerability in JPEG2000 parser in the TPView.dll.
On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client.
Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View Client.
VMware would like to thank Anonymous working with Trend Micro's Zero Day Initiative for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4935 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
c. Multiple out-of-bounds read issues via Cortado ThinPrint
VMware Workstation and Horizon View Client contain multiple out-of-bounds read vulnerabilities in JPEG2000 parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client.
Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View.
VMware would like to thank Ke Liu of Tencent's Xuanwu Lab for reporting these issues to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-4936 (JPEG2000 Issue-1) and CVE-2017-4937 (JPEG2000 Issue-2) to these issues.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
d. Guest RPC NULL pointer dereference vulnerability
VMware Workstation and Fusion contain a guest RPC NULL pointer dereference vulnerability. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs.
VMware would like to thank Skyer for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4938 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
e. Workstation installer DLL hijacking issue
Workstation installer contains a DLL hijacking issue that exists due to some DLL files loaded by the application improperly. This issue may allow an attacker to load a DLL file of the attacker's choosing that could execute arbitrary code.
VMware would like to thank Björn Ruytenberg for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4939 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
4. Solution
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
VMware Horizon View Client 4.6.1
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=CART18FQ3_WIN_461&productId=578&rPId=18817
VMware Workstation Pro 12.5.8
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://www.vmware.com/support/pubs/ws_pubs.html
VMware Workstation Player 12.5.8
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://www.vmware.com/support/pubs/player_pubs.html
VMware Fusion Pro / Fusion 8.5.9
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://www.vmware.com/support/pubs/fusion_pubs.html
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4934
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4935
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4938
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4939
6. Change log
2017-11-16 VMSA-2017-0018
Initial security advisory in conjunction with the release of VMware Workstation 12.5.8 and Fusion 8.5.9 on 2017-11-16.
2017-11-17 VMSA-2017-0018.1
Updated security advisory to add issue 3(e).
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
E-mail: security@vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2017 VMware Inc. All rights reserved.