ESB-2017.2353 - [Win][Linux][Virtual][OSX] VMWare Products: Multiple vulnerabilities 2017-09-18

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2353
                             VMSA-2017-0015.1
                             18 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware ESXi
                   VMware vCenter Server
                   VMware Fusion
                   VMware Workstation
Publisher:         VMWare
Operating System:  Windows
                   Linux variants
                   OS X
                   VMware ESX Server
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account            
                   Cross-site Scripting            -- Remote with User Interaction
                   Denial of Service               -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-4926 CVE-2017-4925 CVE-2017-4924

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2017-0015.html

- --------------------------BEGIN INCLUDED TEXT--------------------

                               VMware Security Advisory

Advisory ID: VMSA-2017-0015.1
Severity:    Critical
Synopsis:    VMware ESXi, vCenter Server, Fusion & Workstation updates
             resolve multiple security vulnerabilities
Issue date:  2017-09-14
Updated on:  2017-09-15
CVE number:  CVE-2017-4924, CVE-2017-4925, CVE-2017-4926

1. Summary

   VMware ESXi, vCenter Server, Fusion and Workstation updates resolve
   multiple security vulnerabilities.

2. Relevant Products

   VMware ESXi (ESXi)
   VMware vCenter Server
   VMware Fusion Pro / Fusion (Fusion)
   VMware Workstation Pro / Player (Workstation)

3. Problem Description

   a. Out-of-bounds write vulnerability in SVGA

   VMware ESXi, Workstation & Fusion contain an out-of-bounds write
   vulnerability in SVGA device. This issue may allow a guest to
   execute code on the host.

   VMware would like to thank Nico Golde and Ralf-Philipp Weinmann of
   Comsecuris UG (haftungsbeschraenkt) working with ZDI for reporting
   this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2017-4924 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware      Product Running           Replace with/       Mitigation
   Product     Version on      Severity  Apply patch         Workaround
   =========== ======= ======= ========  =============       ==========
      ESXi      6.5     ESXi   Critical ESXi650-201707101-SG   None
      ESXi      6.0     ESXi    N/A       Not affected          N/A
      ESXi      5.5     ESXi    N/A       Not affected          N/A
   Workstation  12.x    Any    Critical    12.5.7              None
     Fusion     8.x     OS X   Critical    8.5.8               None

   b. Guest RPC NULL pointer dereference vulnerability

   VMware ESXi, Workstation & Fusion contain a NULL pointer dereference
   vulnerability. This issue occurs when handling guest RPC requests.
   Successful exploitation of this issue may allow attackers with
   normal user privileges to crash their VMs.

   VMware would like to thank Zhang Haitao for reporting this issue
   to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2017-4925 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware      Product Running          Replace with/        Mitigation
   Product     Version on      Severity Apply patch          Workaround
   =========== ======= ======= ======== =============        ==========
      ESXi      6.5     ESXi   Moderate ESXi650-201707101-SG   None
      ESXi      6.0     ESXi   Moderate ESXi600-201706101-SG   None
      ESXi      5.5     ESXi   Moderate ESXi550-201709101-SG   None
   Workstation  12.x    Any    Moderate    12.5.3              None
     Fusion     8.x     OS X   Moderate     8.5.4              None

   c. Stored XSS in H5 Client

   vCenter Server H5 Client contains a vulnerability that may allow for
   stored cross-site scripting (XSS). An attacker with VC user
   privileges can inject malicious java-scripts which will get executed
   when other VC users access the page.

   VMware would like to thank Thomas Ornetzeder for reporting this
   issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2017-4926 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware          Product Running           Replace with/   Mitigation
   Product         Version on      Severity  Apply patch     Workaround
   ==============  ======= ======= ========  =============   ==========
   vCenter Server   6.5    Windows Moderate     6.5 U1          None
   vCenter Server   6.0    Windows   N/A      Not affected      N/A
   vCenter Server   5.5    Windows   N/A      Not affected      N/A

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   ESXi 6.5
   -------------
   Downloads:
   https://www.vmware.com/patchmgr/findPatch.portal
   Documentation:
   http://kb.vmware.com/kb/2149933

   ESXi 6.0
   -------------
   Downloads:
   https://www.vmware.com/patchmgr/findPatch.portal
   Documentation:
   http://kb.vmware.com/kb/2149960

   ESXi 5.5
   ------------
   Downloads:
   https://www.vmware.com/patchmgr/findPatch.portal
   Documentation:
   http://kb.vmware.com/kb/2150876

   VMware vCenter Server 6.5 U1
   Downloads:
   https://my.vmware.com/web/vmware/details?downloadGroup=VC65U1
   &productId=614&rPId=17343
   Documentation:
   https://docs.vmware.com/en/VMware-vSphere/index.html

   VMware Workstation Pro 12.5.7
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation
   https://www.vmware.com/support/pubs/ws_pubs.html

   VMware Workstation Player 12.5.7
   Downloads and Documentation:
   https://www.vmware.com/go/downloadplayer
   https://www.vmware.com/support/pubs/player_pubs.html

   VMware Workstation Pro 12.5.3
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation
   https://www.vmware.com/support/pubs/ws_pubs.html

   VMware Workstation Player 12.5.3
   Downloads and Documentation:
   https://www.vmware.com/go/downloadplayer
   https://www.vmware.com/support/pubs/player_pubs.html

   VMware Fusion Pro / Fusion 8.5.8
   Downloads and Documentation
   https://www.vmware.com/go/downloadfusion
   https://www.vmware.com/support/pubs/fusion_pubs.html

   VMware Fusion Pro / Fusion 8.5.4
   Downloads and Documentation
   https://www.vmware.com/go/downloadfusion
   https://www.vmware.com/support/pubs/fusion_pubs.html


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4924
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4925
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4926

- - ------------------------------------------------------------------------

6. Change log

   2017-09-14 VMSA-2017-0015
   Initial security advisory in conjunction with the release of VMware
   ESXi 5.5 patches on 2017-09-14

   2017-09-15 VMSA-2017-0015.1 Corrected the underlying component
   affected from SVGA driver to device.

- - ------------------------------------------------------------------------
7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

     security-announce@lists.vmware.com
     bugtraq@securityfocus.com
     fulldisclosure@seclists.org

   E-mail: security@vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   VMware Security & Compliance Blog
   https://blogs.vmware.com/security

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2017 VMware Inc.  All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWb8W5Yx+lLeg9Ub1AQjvpA/9EhLRIKalKeYHaVOHNBXwed+8fd2gYiLQ
Z+kvBS4slL6l7Gekf6+ywS9DIDb+4jzFp7HNhTrUY7m9B2NZm6ixt37hkmxRLlcN
EQ+LzLtmGHUtGrxQ8Em9qLh7f6D54rSvFqPHsnncKhT6jJoevzqHhSZXYsUNq8ya
2enOFJw+NitOHHH0TrBI5NgEN0LQnq4qAObcmkb5mnsb2T1r4fKtIMOv8eXtybZk
zpyzAwKy1j9h37Z7CVPC3mt8cFKKVnXEIzSvZ/q67N8la7YvDRGiUtHAI7wYLH+M
623KqSDcJK0wLkxpotVu6OMVK5HfR7arlwyWeJb09uw3upgpnk3flfyYKD9SUdEE
qktvdTNzD3nZMfcvsXGQE2Pk6ZZXJCVFopCK6tOXOyoLrFLhSjNY65H7hOn8EUMp
PtcTNoRA9Gp6abXJC5dBmXVYDv2Muf7jKoN0IHtVySVrQTcmdkwparkKEI5jTmIh
PrEGPODrPiyVQ3tj/6w3o8GiUYKk0ZpWFH+v1KdJRYEhAPhoQUvI/jyJKxDfOfOe
ExKX/ZE1iDdHAZ7FpYStgRbY2xXqv7VDZMqWBP5N/zytTGmj9rFcjO3eQW774SG/
49P12r1ia2LvDIF15v63VNqujYyZ5ZqcRMLc7ema9sKjaJxMdWD0v9KCmUi18tU/
7UUcq7QGd3Q=
=S4PV
-----END PGP SIGNATURE-----

« Back to bulletins