Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0131.2 VMware Workstation, and Fusion updates resolve use-after-free and integer-overflow vulnerabilities 12 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware Workstation VMware Fusion Publisher: VMWare Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-4950 CVE-2017-4949 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2018-0005.html Revision History: January 12 2018: Updated Product Tag January 12 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- VMSA-2018-0005 VMware Workstation, and Fusion updates resolve use-after-free and integer-overflow vulnerabilities VMware Security Advisory Advisory ID: VMSA-2018-0005 Severity: Critical Synopsis: VMware Workstation, and Fusion updates resolve use-after-free and integer-overflow vulnerabilities Issue date: 2018-01-10 Updated on: 2018-01-10 (Initial Advisory) CVE numbers: CVE-2017-4949, CVE-2017-4950 1. Summary VMware Workstation, and Fusion updates resolve use-after-free and integer-overflow vulnerabilities 2. Relevant Products VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) 3. Problem Description a. Use-after-free vulnerability in VMware NAT service VMware Workstation and Fusion contain a use-after-free vulnerability in VMware NAT service when IPv6 mode is enabled. This issue may allow a guest to execute code on the host. Note: IPv6 mode for VMNAT is not enabled by default. VMware would like to thank WenQunWang of Tencent's Xuanwu LAB for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4949 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Product Version Running on Severity Replace with/ Apply Patch Mitigation/ Workaround Workstation 14.x Any Critical 14.1.1 None Workstation 12.x Any Critical 12.5.9 None Fusion 10.x OS X Critical 10.1.1 None Fusion 8.x OS X Critical 8.5.10 None b. Integer-overflow vulnerability in VMware NAT service VMware Workstation and Fusion contain an integer overflow vulnerability in VMware NAT service when IPv6 mode is enabled. This issue may lead to an out-of-bound read which can then be used to execute code on the host in conjunction with other issues. Note: IPv6 mode for VMNAT is not enabled by default. VMware would like to thank WenQunWang of Tencent's Xuanwu LAB for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4950 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Product Version Running on Severity Replace with/ Apply Patch Mitigation/ Workaround Workstation 14.x Any Important 14.1.1 None Workstation 12.x Any Important 12.5.9 None Fusion 10.x OS X Important 10.1.1 None Fusion 8.x OS X Important 8.5.10 None 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware Workstation Pro 14.1.1 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://www.vmware.com/support/pubs/ws_pubs.html VMware Workstation Player 14.1.1 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://www.vmware.com/support/pubs/player_pubs.html VMware Workstation Pro 12.5.9 Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation_pro/12_0 https://www.vmware.com/support/pubs/ws_pubs.html VMware Workstation Player 12.5.9 Downloads and Documentation: https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0 https://www.vmware.com/support/pubs/player_pubs.html VMware Fusion Pro / Fusion 10.1.1 Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://www.vmware.com/support/pubs/fusion_pubs.html VMware Fusion Pro / Fusion 8.5.10 Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/8_0 https://www.vmware.com/support/pubs/fusion_pubs.html 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4949 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4950 6. Change log 2018-01-10 VMSA-2017-0005 Initial security advisory in conjunction with the release of VMware Workstation 12.5.9 on 2018-01-10. 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2018 VMware Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWlgMgox+lLeg9Ub1AQjkIQ//fHugZVbW9d9/Lq8bSr9Ym80mwVSVL7rN wb5M205nVjAGg0eSe1hjyfXmOla1v1GuLicLXtE70avCEIgK/y/5OPCf3GpZoAGq yElgzer4ZuJqlIu3pnAJspLV7sJm8RxIg7l6TtWeOffjil+6HjvA9pUXGbhQ5Tm9 bmI8Cz7nuo0X1SCBDSS2Z697m0SmOVeCNVXpr9wCyOvYEr4YptLQot93Wv5XviTa 1BtNORt7pjDe0rlwMtkBQBOGpOq30gdEs8lfKiRXcPA7/XVen+zpGICk0Z3a1jZl 70L5vib2AzAvGBiY4WrJIiIwBi0lIleOePrw8oKTqQ7dDZmMVe1+GyuQt+0LHhA4 v6VK+8pvvdQJWt3x+RtC8jo8OCfL6HYL9yPfxk71MNi8mQqd2qY6h+c/ZHmkOly7 yGPAk+t6J0GensHDBhEfty4jkX3KKl+CoUn5sjWWAR4oWWtHhUGQHAa8hYGZGC/b G4kQNxf8MF5zNGVy2qnMz6DxZyU09G2eqYfqOY3ZehV92az/FQ6JQkUJEZkmLBR4 tRceHcQQf9XAoNUHZpjn9qBSdWMW5x8BBoGw1BoYBKlMD3Z74AriD5uASiO0bd8N od6PnFgd4K300ttoZBbnjKXbhrL3GzMylSxgMw+cqaC2wLFjFR7ocP7FB2hxE/7C zoBDjpfl2qQ= =zq6L -----END PGP SIGNATURE-----