ESB-2016.2166.2 - UPDATE [Win][UNIX/Linux][Virtual] VMWare products: Multiple vulnerabilities 2018-01-02

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2016.2166.2
                         VMware Security Advisory
                              2 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware ESXi
                   VMware Workstation Pro
                   VMware Workstation Player
                   VMware Fusion
                   VMware Tools
Publisher:         VMWare
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
                   VMware ESX Server
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Increased Privileges            -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-7086 CVE-2016-7085 CVE-2016-7084
                   CVE-2016-7083 CVE-2016-7082 CVE-2016-7081
                   CVE-2016-7080 CVE-2016-7079 

Original Bulletin: 
   https://www.vmware.com/us/security/advisories/VMSA-2016-0014.html

Revision History:  January    2 2018: Updated affected versions and resolution for CVE-2016-7082
                   September 15 2016: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -----------------------------------------------------------------------
                          VMware Security Advisory

Advisory ID: VMSA-2016-0014.1
Severity:    Critical
Synopsis:    VMware ESXi, Workstation, Fusion, & Tools updates address
             multiple security issues
Issue date:  2016-09-13
Updated on:  2017-12-21
CVE number:  CVE-2016-7081,CVE-2016-7082,CVE-2016-7083,CVE-2016-7084,
             CVE-2016-7079,CVE-2016-7080,CVE-2016-7085,CVE-2016-7086

1. Summary

   VMware ESXi, Workstation, Fusion, and Tools updates address multiple
   security issues

2. Relevant Products

   ESXi
   VMware Workstation Pro
   VMware Workstation Player
   VMware Fusion
   VMware Tools

3. Problem Description

   a. VMware Workstation heap-based buffer overflow vulnerabilities via
      Cortado ThinPrint

   VMware Workstation contains vulnerabilities that may allow a windows
   -based virtual machine (VM) to trigger heap-based buffer overflows
   in the windows-based hypervisor running VMware workstation that the
   VM resides on. Exploitation of this issue may lead to arbitrary code
   execution in the hypervisor OS.

   Exploitation is only possible if virtual printing has been enabled
   in VMware Workstation. This feature is not enabled by default.
   VMware Knowledge Base article 2146810 documents the procedure for
   enabling and disabling this feature.

   VMware would like to thank E0DB6391795D7F629B5077842E649393 working
   with Trend Micro's Zero Day Initiative for reporting this issue to
   us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-7081 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware             Product Running          Replace with/
   Product            Version on      Severity Apply Patch** Workaround
   ===============    ======= ======= ======== ============= ==========
   Workstation Pro    12.x    Windows Critical 12.5.0        KB2146810
   Workstation Pro    12.x    Linux   N/A      not affected  N/A
   Workstation Player 12.x    Windows Critical 12.5.0        KB2146810
   Workstation Player 12.x    Linux   N/A      not affected  N/A

   b. VMware Workstation memory corruption vulnerabilities via Cortado
      Thinprint

   VMware Workstation contains vulnerabilities that may allow a windows
   -based virtual machine (VM) to corrupt memory in the windows-based
   hypervisor running VMware workstation that the VM resides on. These
   include TrueType fonts embedded in EMFSPOOL (CVE-2016-7083), and
   JPEG2000 images (CVE-2016-7084) in tpview.dll. Exploitation of these
   issues may lead to arbitrary code execution in the hypervisor OS.

   Exploitation is only possible if virtual printing has been enabled
   in VMware Workstation. This feature is not enabled by default.
   VMware Knowledge Base article 2146810 documents the procedure for
   enabling and disabling this feature.

   VMware would like to thank Mateusz Jurczyk of Google's Project Zero
   for reporting these issues to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifiers CVE-2016-7083, and CVE-2016-7084 to these
   issues.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware            Product  Running            Replace with/
   Product           Version on       Severity Apply Patch   Workaround
   ===============   ======= =======  ======== ============= ==========
   Workstation Pro    12.x    Windows  Critical 12.5.0          N/A
   Workstation Pro    12.x    Linux    N/A      not affected    N/A
   Workstation Player 12.x    Windows  Critical 12.5.0          N/A
   Workstation Player 12.x    Linux    N/A      not affected    N/A


   c. VMware Tools NULL pointer dereference vulnerabilities

   The graphic acceleration functions used in VMware Tools for OSX
   handle memory incorrectly. Two resulting NULL pointer dereference
   vulnerabilities may allow for local privilege escalation on Virtual
   Machines that run OSX.

   The issues can be remediated by installing a fixed version of VMware
   Tools on affected OSX VMs directly. Alternatively the fixed version
   of Tools can be installed through ESXi or Fusion after first
   updating to a version of ESXi or Fusion that ships with a fixed
   version of VMware Tools.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifiers CVE-2016-7079 and CVE-2016-7080 to these
   issues.

   VMware would like to thank Dr. Fabien Duchene "FuzzDragon" and Jian
   Zhu for independently reporting these issues to VMware.

   VMware       Product   Running           Replace with/
   Product      Version   on      Severity  Apply Patch         Workaround
   ============ ========= ======= ========  =================== ==========
   VMware Tools 10.x, 9.x Windows   N/A       not affected        N/A
   VMware Tools 10.x, 9.x Linux     N/A       not affected        N/A
   VMware Tools 10.x, 9.x OSX     Important     10.0.9*           None

   *VMware Tools 10.0.9 can be downloaded independently and is included
    in the following:
     -ESXi 6.0 patch ESXi600-201608403-BG
     -ESXi 5.5 patch ESXi550-201608102-SG
     -Fusion 8.5.0

   d. VMware Workstation installer DLL hijacking issue

   Workstation Pro/Player installer contains a DLL hijacking issue that
   exists due to some DLL files loaded by the application improperly.
   This issue may allow an unauthenticated remote attacker to load this
   DLL file of the attacker's choosing that could execute arbitrary
   code.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware would like to thank Anand Bhat and Himanshu Mehta for
   individually reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-7085 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

  VMware             Product Running           Replace with/
  Product            Version on      Severity  Apply Patch   Workaround
  ===============    ======= ======= ========  ============= ==========
  Workstation Pro    12.x    Windows Important 12.5.0        None
  Workstation Pro    12.x    Linux   N/A       not affected  N/A
  Workstation Player 12.x    Windows Important 12.5.0        None
  Workstation Player 12.x    Linux   N/A       not affected  N/A

   e. VMware Workstation installer insecure executable loading
      vulnerability

   Workstation installer contains an insecure executable loading
   vulnerability that may allow an attacker to execute any exe file
   placed in the same directory as installer with the name
   "setup64.exe".Successfully exploiting this issue may allow attackers
   to escalate their privileges and execute arbitrary code.

   VMware would like to thank Adam Bridge for reporting this issue to
   us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-7086 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware            Product Running            Replace with/
   Product           Version on      Severity  Apply Patch   Workaround
   ===============   ======= ======= ========  ============= ==========
   Workstation Pro    12.x    Windows Important 12.5.0        None
   Workstation Pro    12.x    Linux   N/A       not affected  N/A
   Workstation Player 12.x    Windows Important 12.5.0        None
   Workstation Player 12.x    Linux   N/A       not affected  N/A

   f. Workstation EMF file handling memory corruption vulnerability via
   Cortado ThinPrint

   VMware Workstation contains a vulnerability that may allow a Windows
   -based virtual machine (VM) to corrupt memory. This issue occurs due
   to improper handling of EMF files in tpview.dll. Exploitation of this
   issue may lead to arbitrary code execution in the hypervisor OS.

   The severity of this issue has changed to Low from Critical as the
   exploitation of the issue requires a custom registry value to be
   added on the host machine.

   Exploitation is only possible if virtual printing has been enabled
   in VMware Workstation. This feature is not enabled by default.
   VMware Knowledge Base article 2146810 documents the procedure for
   enabling and disabling this feature.

   VMware would like to thank Mateusz Jurczyk of Google's Project Zero
   and Yakun Zhang of McAfee for individually reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-7082 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

  VMware              Product  Running         Replace with/
  Product             Version  on     Severity Apply Patch   Workaround
  ================== ======== ======= ======== ============= ==========
  Workstation Player  14.x    Windows   Low    14.1.0           None
  Workstation Player  14.x    Linux     N/A    not affected     N/A
  Workstation Pro     14.x    Windows   Low    14.1.0           None
  Workstation Pro     14.x    Linux     N/A    not affected     N/A
  Workstation Player  12.x    Windows   Low    no patch planned None
  Workstation Player  12.x    Linux     N/A    not affected     N/A
  Workstation Pro     12.x    Windows   Low    no patch planned None
  Workstation Pro     12.x    Linux     N/A    not affected     N/A


4. Solution

   Please review the patch/release notes for your product and version and
verify
   the checksum of your downloaded file.

   VMware ESXi 6.0
   Downloads:
   https://www.vmware.com/patchmgr/findPatch.portal
   Documentation:
   https://kb.vmware.com/kb/2145816

   VMware ESXi 5.5
   Downloads:
   https://www.vmware.com/patchmgr/findPatch.portal
   Documentation:
   https://kb.vmware.com/kb/2144370

   VMware Workstation Pro 12.5.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation

   VMware Workstation Player 12.5.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadplayer

   VMware Fusion 8.5.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadfusion

   VMware Tools 10.0.9
   Downloads and Documentation:

https://my.vmware.com/web/vmware/details?productId=491&downloadGroup=VMTOOL
S1009

   VMware Workstation Pro 14.1.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation
   https://www.vmware.com/support/pubs/ws_pubs.html

   VMware Workstation Player 14.1.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadplayer
   https://www.vmware.com/support/pubs/player_pubs.html

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7081
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7082
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7083
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7084
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7079
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7080
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7085
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7086
   https://kb.vmware.com/kb/2146810

- - ------------------------------------------------------------------------

6. Change log

   2016-09-13 VMSA-2016-0014 Initial security advisory in conjunction
   with the release of VMware Workstation 12.5.0 on 2016-09-13.

   2017-12-21 VMSA-2016-0014.1
   Updated affected versions and resolution for CVE-2016-7082 and
   moved this CVE to its own section i.e. 3f.


- - -----------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

- -----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8

wj8DBQFaPJsSDEcm8Vbi9kMRAis+AKCNQLB3rwWNlaTh90t3CfvJYBjiGQCeO8LC
La1UFYAn/y6Qfqomp7JfgHo=
=0xhk
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWkq+KYx+lLeg9Ub1AQjM0Q/+P8FMMbdRZhDViWDFpu57gbv8aUM4GbZe
XDKcXIAEC2rmkdJGN+sOO3kEsATWp+0sr1uqKL9/KgY1tZ3FE7PDg2WQdIyTDW+w
f2t+m3g9yPzF5VHPx/TA0uyOE76KwrYejRG5nXm4JqKwcab15jXhWrYvwIWjKHbq
tYeo+CKH5TkB2mnLOVxgESqnN58uJl9HsnCX6Maj8bwRAAWnrUXn3fBoldVumSoU
Ba1MC4z7qIzFwZjYh8IeMXRCZJ85KuMrEtftMcaSRx9MOh6R5rLLrnYNSxzfeZNl
FRpTcAE7zHKe4Cih5YdaSv7K+qWtItpnxHCHTQRCBZUII6d/oG1g4hqMKLydxGmp
rqt9yOCYbodXgSiH0nbvno89+Yn/InlGnVFxTtKZ4guLhWnhCSJxM5eBM9hWFLG4
dq5G3s4PfLA4maSEPuRIbcVrULf5cnTCb+mWynRxVJz8xLuD/wLn5aCD7x6y4l44
/dHk6+70xPdfutUjghVFZp3yOaOvZWPC8u0zWJ8fDQZzZpFh+sH7WyCg/jBiudtf
vXzkdpg+FwHSpfum3jusP3pfYwDjWaROKVknu17ZlSzDfO6v1MbBs0SOrFIl7UJ5
TrpqG80AkzZXATzgZLrTm12I3lCzK9kQh5IVMS5yr1/0tNWIUeGwYRLyIMGoqOly
tkwpVICrgII=
=yCuQ
-----END PGP SIGNATURE-----

« Back to bulletins