VMSA-2017-0018.1

VMware Workstation, Fusion and Horizon View Client updates resolve multiple security vulnerabilities

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
 VMSA-2017-0018.1
VMware Security Advisory Severity:
 Critical
VMware Security Advisory Synopsis:
 VMware Workstation, Fusion and Horizon View Client updates resolve multiple security vulnerabilities
VMware Security Advisory Issue date:
 2017-11-16
VMware Security Advisory Updated on:
2017-11-17
VMware Security Advisory CVE numbers:
CVE-2017-4934, CVE-2017-4935, CVE-2017-4936, CVE-2017-4937, CVE-2017-4938, CVE-2017-4939
 
1. Summary

VMware Workstation, Fusion and Horizon View Client updates resolve multiple security vulnerabilities

2. Relevant Products
  • VMware Workstation Pro / Player (Workstation) 
  • VMware Fusion Pro / Fusion (Fusion)
3. Problem Description

a. Heap buffer-overflow vulnerability in VMNAT device

 

VMware Workstation and Fusion contain a heap buffer-overflow vulnerability in VMNAT device. This issue may allow a guest to execute code on the host.

 

VMware would like to thank Jun Mao of Tencent PC Manager working with Trend Micro's Zero Day Initiative for reporting this issue to us.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4934 to this issue.

 

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
VMware Product Workstation
Product Version 14.x
Running on Any
Severity N/A
Replace with/ Apply Patch Not affected
Workaround N/A
VMware Product Workstation
Product Version 12.x
Running on Any
Severity Critical
Replace with/ Apply Patch 12.5.8
Workaround None
VMware Product Fusion
Product Version 10.x
Running on OS X
Severity N/A
Replace with/ Apply Patch Not affected
Workaround N/A
VMware Product Fusion
Product Version 8.x
Running on OS X
Severity Critical
Replace with/ Apply Patch 8.5.9
Workaround None

 

 

b. Out-of-bounds write via Cortado ThinPrint

 

VMware Workstation and Horizon View Client contain an out-of-bounds write vulnerability in JPEG2000 parser in the TPView.dll.   

 

On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon  View Client.      

 

Exploitation is only possible if virtual printing has been enabled.  This feature is not enabled by default on Workstation but it is enabled by default on Horizon View Client. 

 

VMware would like to thank Anonymous working with Trend Micro's Zero Day Initiative for reporting this issue to us.  

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4935 to this issue.

 

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
VMware Product Horizon View Client for Windows
Product Version 4.x
Running on Windows
Severity Critical
Replace with/ Apply Patch 4.6.1
Workaround None
VMware Product Workstation
Product Version 14.x
Running on Any
Severity N/A
Replace with/ Apply Patch Not affected
Workaround N/A
VMware Product Workstation
Product Version 12.x
Running on Windows
Severity Critical
Replace with/ Apply Patch 12.5.8
Workaround None
VMware Product Workstation
Product Version 12.x
Running on Linux
Severity N/A
Replace with/ Apply Patch Not affected
Workaround N/A

 

 

c. Multiple out-of-bounds read issues via Cortado ThinPrint

 

VMware Workstation and Horizon View Client contain multiple out-of-bounds read vulnerabilities in JPEG2000 parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client.   

 

Exploitation is only possible if virtual printing has been enabled.  This feature is not enabled by default on Workstation but it is enabled by default on Horizon View.      

 

VMware would like to thank Ke Liu of Tencent's Xuanwu Lab for reporting these issues to us.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-4936 (JPEG2000 Issue-1) and CVE-2017-4937 (JPEG2000 Issue-2) to these issues.

 

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
VMware Product Horizon View Client for Windows
Product Version 4.x
Running on Windows
Severity Critical
Replace with/ Apply Patch 4.6.1
Workaround None
VMware Product Workstation
Product Version 14.x
Running on Any
Severity N/A
Replace with/ Apply Patch Not affected
Workaround N/A
VMware Product Workstation
Product Version 12.x
Running on Windows
Severity Critical
Replace with/ Apply Patch 12.5.8
Workaround None
VMware Product Workstation
Product Version 12.x
Running on Linux
Severity N/A
Replace with/ Apply Patch Not affected
Workaround N/A

 

 

d. Guest RPC NULL pointer dereference vulnerability

 

VMware Workstation and Fusion contain a guest RPC NULL pointer dereference vulnerability. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs.

 

VMware would like to thank Skyer for reporting this issue to us.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4938 to this issue.

 

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
VMware Product Workstation
Product Version 14.x
Running on Any
Severity N/A
Replace with/ Apply Patch Not affected
Workaround N/A
VMware Product Workstation
Product Version 12.x
Running on Any
Severity Moderate
Replace with/ Apply Patch 12.5.8
Workaround None
VMware Product Fusion
Product Version 10.x
Running on OS X
Severity N/A
Replace with/ Apply Patch Not affected
Workaround N/A
VMware Product Fusion
Product Version 8.x
Running on OS X
Severity Moderate
Replace with/ Apply Patch 8.5.9
Workaround None

 

 

e. Workstation installer DLL hijacking issue  

 

Workstation installer contains a DLL hijacking issue that exists due to some DLL files loaded by the application improperly. This issue may allow an attacker to load a DLL file of the attacker's choosing that could execute arbitrary code.   

 

VMware would like to thank Björn Ruytenberg for reporting this issue to us.       

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4939 to this issue.         

 

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
VMware Product Workstation
Product Version 14.x
Running on Any
Severity N/A
Replace with/ Apply Patch Not affected
Workaround N/A
VMware Product Workstation
Product Version 12.x
Running on Windows
Severity Important
Replace with/ Apply Patch 12.5.8
Workaround None
VMware Product Workstation
Product Version 12.x
Running on Linux
Severity N/A
Replace with/ Apply Patch Not affected
Workaround N/A

 

 

4. Solution

 

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

 

VMware Horizon View Client 4.6.1

Downloads and Documentation:

https://my.vmware.com/web/vmware/details?downloadGroup=CART18FQ3_WIN_461&productId=578&rPId=18817

 

VMware Workstation Pro 12.5.8

Downloads and Documentation:

https://www.vmware.com/go/downloadworkstation  

https://www.vmware.com/support/pubs/ws_pubs.html

 

VMware Workstation Player 12.5.8

Downloads and Documentation:

https://www.vmware.com/go/downloadplayer

https://www.vmware.com/support/pubs/player_pubs.html

 

VMware Fusion Pro / Fusion 8.5.9

Downloads and Documentation:

https://www.vmware.com/go/downloadfusion

https://www.vmware.com/support/pubs/fusion_pubs.html

 

5. References

 

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4934

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4935

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4936

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4937

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4938   

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4939        

            

6. Change log

 

2017-11-16 VMSA-2017-0018

Initial security advisory in conjunction with the release of VMware Workstation 12.5.8 and Fusion 8.5.9 on 2017-11-16.

 

2017-11-17 VMSA-2017-0018.1   

Updated security advisory to add issue 3(e).

 

7. Contact

 

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com

bugtraq@securityfocus.com

fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at: https://kb.vmware.com/kb/1055

 

VMware Security Advisories

http://www.vmware.com/security/advisories

 

Consolidated list of VMware Security Advisories

http://kb.vmware.com/kb/2078735

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2017 VMware Inc. All rights reserved.