ESB-2018.0131.2 - UPDATED ALERT [Win][UNIX/Linux] VMware Workstation and Fusion: Execute arbitrary code/commands - Existing account 2018-01-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.0131.2
              VMware Workstation, and Fusion updates resolve
            use-after-free and integer-overflow vulnerabilities
                              12 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware Workstation
                   VMware Fusion
Publisher:         VMWare
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-4950 CVE-2017-4949 

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2018-0005.html

Revision History:  January 12 2018: Updated Product Tag
                   January 12 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

VMSA-2018-0005

VMware Workstation, and Fusion updates resolve use-after-free and 
integer-overflow vulnerabilities

VMware Security Advisory
 
Advisory ID:
VMSA-2018-0005

Severity:
Critical

Synopsis:
VMware Workstation, and Fusion updates resolve use-after-free and 
integer-overflow vulnerabilities

Issue date:
2018-01-10

Updated on:
2018-01-10 (Initial Advisory)

CVE numbers:
CVE-2017-4949, CVE-2017-4950
 
1. Summary

VMware Workstation, and Fusion updates resolve use-after-free and 
integer-overflow vulnerabilities

2. Relevant Products

    VMware Workstation Pro / Player (Workstation)
    VMware Fusion Pro / Fusion (Fusion)

3. Problem Description

a. Use-after-free vulnerability in VMware NAT service

VMware Workstation and Fusion contain a use-after-free vulnerability in VMware
NAT service when IPv6 mode is enabled. This issue may allow a guest to execute
code on the host.
  
Note: IPv6 mode for VMNAT is not enabled by default.
  
VMware would like to thank WenQunWang of Tencent's Xuanwu LAB for reporting 
this issue to us.
  
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the identifier CVE-2017-4949 to this issue.

Column 5 of the following table lists the action required to remediate the 
vulnerability in each release, if a solution is available.

VMware Product	Product Version	Running on	Severity	Replace with/ Apply Patch	Mitigation/ Workaround
Workstation	14.x		Any		Critical	14.1.1				None
Workstation	12.x		Any		Critical	12.5.9				None
Fusion		10.x		OS X		Critical	10.1.1				None
Fusion		8.x		OS X		Critical	8.5.10				None

b. Integer-overflow vulnerability in VMware NAT service

VMware Workstation and Fusion contain an integer overflow vulnerability in 
VMware NAT service when IPv6 mode is enabled. This issue may lead to an 
out-of-bound read which can then be used to execute code on the host in 
conjunction with other issues.

Note: IPv6 mode for VMNAT is not enabled by default.
  
VMware would like to thank WenQunWang of Tencent's Xuanwu LAB for reporting 
this issue to us.
  
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the identifier CVE-2017-4950 to this issue.

Column 5 of the following table lists the action required to remediate the 
vulnerability in each release, if a solution is available.

VMware Product	Product Version	Running on	Severity	Replace with/ Apply Patch	Mitigation/ Workaround
Workstation	14.x		Any		Important	14.1.1				None
Workstation	12.x		Any		Important	12.5.9				None
Fusion		10.x		OS X		Important	10.1.1				None
Fusion		8.x		OS X		Important	8.5.10				None

4. Solution

Please review the patch/release notes for your product and version and verify 
the checksum of your downloaded file.

VMware Workstation Pro 14.1.1

Downloads and Documentation:  

https://www.vmware.com/go/downloadworkstation  
https://www.vmware.com/support/pubs/ws_pubs.html  

VMware Workstation Player 14.1.1

Downloads and Documentation:  

https://www.vmware.com/go/downloadplayer  
https://www.vmware.com/support/pubs/player_pubs.html

VMware Workstation Pro 12.5.9

Downloads and Documentation:

https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation_pro/12_0
https://www.vmware.com/support/pubs/ws_pubs.html

VMware Workstation Player 12.5.9
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0
https://www.vmware.com/support/pubs/player_pubs.html
   
VMware Fusion Pro / Fusion 10.1.1
Downloads and Documentation:  
https://www.vmware.com/go/downloadfusion  
https://www.vmware.com/support/pubs/fusion_pubs.html
   
VMware Fusion Pro / Fusion 8.5.10

Downloads and Documentation:  
https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/8_0  
https://www.vmware.com/support/pubs/fusion_pubs.html 

5. References
 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4949
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4950

6. Change log

2018-01-10 VMSA-2017-0005
Initial security advisory in conjunction with the release of VMware 
Workstation 12.5.9 on 2018-01-10.

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
 
This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com
  bugtraq@securityfocus.com
  fulldisclosure@seclists.org

E-mail: security@vmware.com
PGP key at: https://kb.vmware.com/kb/1055

VMware Security Advisories

http://www.vmware.com/security/advisories

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

Twitter

https://twitter.com/VMwareSRC

Copyright 2018 VMware Inc. All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWlgMgox+lLeg9Ub1AQjkIQ//fHugZVbW9d9/Lq8bSr9Ym80mwVSVL7rN
wb5M205nVjAGg0eSe1hjyfXmOla1v1GuLicLXtE70avCEIgK/y/5OPCf3GpZoAGq
yElgzer4ZuJqlIu3pnAJspLV7sJm8RxIg7l6TtWeOffjil+6HjvA9pUXGbhQ5Tm9
bmI8Cz7nuo0X1SCBDSS2Z697m0SmOVeCNVXpr9wCyOvYEr4YptLQot93Wv5XviTa
1BtNORt7pjDe0rlwMtkBQBOGpOq30gdEs8lfKiRXcPA7/XVen+zpGICk0Z3a1jZl
70L5vib2AzAvGBiY4WrJIiIwBi0lIleOePrw8oKTqQ7dDZmMVe1+GyuQt+0LHhA4
v6VK+8pvvdQJWt3x+RtC8jo8OCfL6HYL9yPfxk71MNi8mQqd2qY6h+c/ZHmkOly7
yGPAk+t6J0GensHDBhEfty4jkX3KKl+CoUn5sjWWAR4oWWtHhUGQHAa8hYGZGC/b
G4kQNxf8MF5zNGVy2qnMz6DxZyU09G2eqYfqOY3ZehV92az/FQ6JQkUJEZkmLBR4
tRceHcQQf9XAoNUHZpjn9qBSdWMW5x8BBoGw1BoYBKlMD3Z74AriD5uASiO0bd8N
od6PnFgd4K300ttoZBbnjKXbhrL3GzMylSxgMw+cqaC2wLFjFR7ocP7FB2hxE/7C
zoBDjpfl2qQ=
=zq6L
-----END PGP SIGNATURE-----

« Back to bulletins