ESB-2018.0042.2 - UPDATE [Win][UNIX/Linux] VMware ESXi, Workstation and Fusion: Access privileged data - Existing account 2018-01-23

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.0042.2
            VMware ESXi, Workstation and Fusion updates address
            side-channel analysis due to speculative execution.
                              23 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware ESXi, Workstation and Fusion
Publisher:         VMWare
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-5753 CVE-2017-5715 

Reference:         ASB-2018.0002.2

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2018-0002.html

Revision History:  January 23 2018: Updated security advisory after release of 
                                    ESXi 5.5 patch (ESXi550-201801401-BG) that 
                                    has remediation against both CVE-2017-5753 
                                    and CVE-2017-5715 on 2018-01-09. 
                                    Updated security advisory with microcode 
                                    information found in KB52345.
                   January  4 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

VMware Security Advisories

VMSA-2018-0002.2

VMware ESXi, Workstation and Fusion updates address side-channel analysis due
to speculative execution.

VMware Security Advisory

Advisory ID: VMSA-2018-0002.2

Severity: Important

Synopsis: VMware ESXi, Workstation and Fusion updates address side-channel 
analysis due to speculative execution.

Issue date: 2018-01-03

Updated on: 2018-01-13

CVE numbers: CVE-2017-5753, CVE-2017-5715

1. Summary

VMware ESXi, Workstation and Fusion updates address side-channel analysis due
to speculative execution.

Notes:

Hypervisor mitigation can be classified into the two following categories:

- - Hypervisor-Specific remediation (documented in this advisory)

- - Hypervisor-Assisted Guest Remediation (documented in VMSA-2018-0004)

The ESXi patches and new versions of Workstation and Fusion of VMSA-2018-0004
include the Hypervisor-Specific remediation documented in this VMware Security
Advisory.

More information on the types of remediation may be found in VMware Knowledge
Base article 52245.

2. Relevant Products

VMware vSphere ESXi (ESXi)

VMware Workstation Pro / Player (Workstation)

VMware Fusion Pro / Fusion (Fusion)

3. Problem Description

Bounds-Check bypass and Branch Target Injection issues

CPU data cache timing can be abused to efficiently leak information out of 
mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory 
read vulnerabilities across local security boundaries in various contexts. 
(Speculative execution is an automatic and inherent CPU performance 
optimization used in all modern processors.) ESXi, Workstation and Fusion are
vulnerable to Bounds Check Bypass and Branch Target Injection issues resulting
from this vulnerability.

Result of exploitation may allow for information disclosure from one Virtual 
Machine to another Virtual Machine that is running on the same host. The 
remediation listed in the table below is for the known variants of the Bounds
Check Bypass and Branch Target Injection issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifiers CVE-2017-5753 (Bounds Check bypass) and CVE-2017-5715 (Branch
Target Injection) to these issues.

Column 5 of the following table lists the action required to remediate the 
observed vulnerability in each release, if a solution is available.

VMware Product	Product Version	Running on	Severity	Replace with/ Apply Patch	Mitigation/ Workaround

ESXi 		6.5 	Any 			Important 	ESXi650-201712101-SG 		None

ESXi 		6.0 	Any 			Important 	ESXi600-201711101-SG 		None

ESXi 		5.5	Any 			Important 	ESXi550-201709101-SG* 		None

Workstation 	14.x 	Any 			N/A 		Not affected 			N/A

Workstation 	12.x 	Any 			Important 	12.5.8 				None

Fusion 		10.x 	OS X 			N/A 		Not affected 			N/A

Fusion 		8.x 	OS X 			Important 	8.5.9 				None

* This patch mitigates CVE-2017-5715 but not CVE-2017-5753. Please see KB52345
for important information on ESXi microcode patches.

4. Solution

Please review the patch/release notes for your product and version and verify
the checksum of your downloaded file.

VMware ESXi 6.5

Downloads:

https://my.vmware.com/group/vmware/patch

Documentation:

http://kb.vmware.com/kb/2151099

VMware ESXi 6.0

Downloads:

https://my.vmware.com/group/vmware/patch

Documentation:

http://kb.vmware.com/kb/2151132

VMware ESXi 5.5

Downloads:

https://my.vmware.com/group/vmware/patch

Documentation:

http://kb.vmware.com/kb/2150876

VMware Workstation Pro, Player 12.5.8

Downloads and Documentation:

https://www.vmware.com/go/downloadworkstation

https://www.vmware.com/support/pubs/ws_pubs.html

VMware Fusion Pro / Fusion 8.5.9

Downloads and Documentation:

https://www.vmware.com/go/downloadfusion

https://www.vmware.com/support/pubs/fusion_pubs.html

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715

6. Change log

2018-01-03 VMSA-2018-0002

Initial security advisory

2018-01-09 VMSA-2018-0002.1

Updated security advisory after release of ESXi 5.5 patch 
(ESXi550-201801401-BG) that has remediation against both CVE-2017-5753 and 
CVE-2017-5715 on 2018-01-09.

2018-01-13 VMSA-2018-0002.2

Updated security advisory with microcode information found in KB52345.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWmbSxYx+lLeg9Ub1AQgMXA//RxjSWqR4jZ6LbtV5Fc19wu1+ZPfHsZxu
hovpT8/gXSrlyyN4HIpNKUDvw8jN50h7wcdMO/E1C+ioITQOh/9GqrnWiFfLd1mC
zVZEeXjg13UkRAOW5/u4iEbgmEI6Q9iFD7kdq6xhVAKJwPZopPRgFUiG6Hicu9lP
EXCW9bXgnXlclz+Wd3BAEy7ICjuuygXnJQF7V1tdhHqMc56+IcWe0QTMkjVNoPkO
Y+xXxCQ+7x3iVKH1mgb529x+94QE2AvnNmkm9Np7alUIiKWwx/fsjMGOoqyzowY8
7CrbeHLDKkQOFbfRR60Msae9CqbD8Z0FGu9obJavZ9WlRPziuWroBmR7cVQ6cs3B
sQnh41tUQX2FJnKsca7CMG36ZyoTGX+M9oPAVLr8nXpccOCgvLNBALMDp8muzmas
E0dihJ9eDrIxvlgFzTRbC0Wh/PwUYzAuaUtZ7l7vOggZ3rKrxnWdMREfkgy3CTF8
2aaWHnLF2E3GcQAdqVn4t1HFqphSYKivb1VPSBCDtQFQYD+Pww2a+oub4a6FtCpN
g2M/oA17nSLWDId5tsU/BVsDgpcMjfkCP266Qks6aEDY6E+34iAPX+cGDDz1Iu5j
jZXlFZ67Nl+HTCNygU3e/Zd+zp+EpbCWBpz9gh9qM1aA9BzaH81HBkKyKnMnmPHN
rWBZca9WDbQ=
=7Xyw
-----END PGP SIGNATURE-----

« Back to bulletins