VMSA-2016-0010:VMware product updates address multiple HIGH security issues

VMware Tanzu Application Service

0 more products

23492

02 August 2016

02 August 2016

CLOSED

HIGH

CVE-2016-5330,CVE-2016-5331

VMSA-2016-0010.1

VMware product updates address multiple important security issues

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
 VMSA-2016-0010.1
VMware Security Advisory Severity:
 Important
VMware Security Advisory Synopsis:
 VMware product updates address multiple security issues
VMware Security Advisory Issue date:
 2016-08-04
VMware Security Advisory Updated on:
 2016-09-19
VMware Security Advisory CVE numbers:
 CVE-2016-5330, CVE-2016-5331
 
1. Summary

VMware product updates address a DLL hijacking issue in Windows-based
VMware Tools and an HTTP Header injection issue in vCenter Server and ESXi.

 
2. Relevant Products
  • VMware vCenter Server
  • VMware vSphere Hypervisor (ESXi)
  • VMware Workstation Pro
  • VMware Workstation Player
  • VMware Fusion
  • VMware Tools
  •  
3. Problem Description

a. DLL hijacking issue in Windows-based VMware Tools  

 

A DLL hijacking vulnerability is present in the VMware Tools "Shared Folders" (HGFS) feature running on Microsoft Windows. Exploitation of this issue may lead to arbitrary code execution with the privileges of the victim. In order to exploit this issue, the attacker would need write access to a network share and they would need to entice the local user into opening their document.  

 

There are no known workarounds for this issue.      

 

VMware would like to thank Yorick Koster of Securify B.V. for reporting this issue to us.  

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-5330 to this issue.  

 

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

 

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch*
Workaround
VMware ProductESXi***
Product Version6.0
Running on ESXi
SeverityImportant
Replace with/ Apply Patch*ESXi600-201603102-SG
WorkaroundNone
VMware ProductESXi***
Product Version5.5
Running on ESXi
SeverityImportant
Replace with/ Apply Patch*ESXi550-201608102-SG
WorkaroundNone
VMware ProductESXi***
Product Version5.1
Running on ESXi
SeverityImportant
Replace with/ Apply Patch*ESXi510-201605102-SG
WorkaroundNone
VMware ProductESXi***
Product Version5.0
Running on ESXi
SeverityImportant
Replace with/ Apply Patch*ESXi500-201606102-SG
WorkaroundNone
VMware ProductVMware Workstation Pro
Product Version12.1.x
Running on Any
SeverityImportant
Replace with/ Apply Patch*12.1.1
WorkaroundNone
VMware ProductVMware Workstation Player
Product Version12.1.x
Running on Any
SeverityImportant
Replace with/ Apply Patch*12.1.1
WorkaroundNone
VMware ProductVMware Fusion
Product Version8.1.x
Running on Mac OS X
SeverityImportant
Replace with/ Apply Patch*8.1.1
WorkaroundNone
VMware ProductVMware Tools
Product Version10.x, 9.x
Running on Windows
SeverityImportant
Replace with/ Apply Patch*10.0.6**
WorkaroundNone

 

* After the update or patch is applied, VMware Tools must also be updated in any Windows-based guests that include the "Shared Folders" (HGFS) feature to resolve CVE-2016-5330.   

** VMware Tools can be downloaded independently and installed to resolve this issue.    

*** Successfully exploiting this issue requires installation of "Shared Folders" component (HGFS feature) which does not get installed in "custom/typical" installation of VMware Tools on Windows VM running on ESXi.

 

 

b. HTTP Header injection issue in vCenter Server and ESXi      

 

vCenter Server and ESXi contain an HTTP header injection vulnerability due to lack of input validation. An attacker can exploit this issue to set arbitrary HTTP response headers and cookies, which may allow for cross-site scripting and malicious redirect attacks.     

 

There are no known workarounds for this issue.      

 

VMware would like to thank Vladimir Ivanov, Andrey Evlanin, Mikhail Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive Technologies, Matt Foster of Netcraft Ltd, Matthias Deeg of SySS GmbH, Eva Esteban Molina of A2secure​ and Ammarit Thongthua for independently reporting this issue to us.  

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-5331 to this issue.  

 

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch*
Workaround
VMware ProductvCenter Server
Product Version6.0
Running on Any
SeverityImportant
Replace with/ Apply Patch*6.0 U2
WorkaroundNone
VMware ProductvCenter Server
Product Version5.x
Running on Any
Severityn/a
Replace with/ Apply Patch*not affected
WorkaroundNone
VMware ProductESXi
Product Version6.0
Running on ESXi
SeverityImportant
Replace with/ Apply Patch*ESXi600-201603101-SG
WorkaroundNone
VMware ProductESXi
Product Version5.x
Running on ESXi
Severityn/a
Replace with/ Apply Patch*not affected
WorkaroundNone

 

 

4. Solution

 

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

vCenter Server

----------------------

Downloads and Documentation:  

https://www.vmware.com/go/download-vsphere     

 

ESXi 6.0  

-------------

Downloads:  

https://www.vmware.com/patchmgr/findPatch.portal     

Documentation:  

http://kb.vmware.com/kb/2142192 (CVE-2016-5331)     

http://kb.vmware.com/kb/2142193 (CVE-2016-5330)      

 

ESXi 5.5 

------------

Downloads:  

https://www.vmware.com/patchmgr/findPatch.portal     

Documentation:  

http://kb.vmware.com/kb/2144370        

 

ESXi 5.1   

-----------

Downloads:  

https://www.vmware.com/patchmgr/findPatch.portal     

Documentation:  

http://kb.vmware.com/kb/2141434  

   

ESXi 5.0

------------ 

Downloads:  

https://www.vmware.com/patchmgr/findPatch.portal     

Documentation:  

http://kb.vmware.com/kb/2144027           

 

VMware Workstation Pro 12.1.1

--------------------------------------------

Downloads and Documentation:

https://www.vmware.com/go/downloadworkstationpro  

 

VMware Workstation Player 12.1.1  

------------------------------------------------

Downloads and Documentation:  

https://www.vmware.com/go/downloadplayer      

 

VMware Fusion 8.1.1  

-----------------------------

Downloads and Documentation:

https://www.vmware.com/go/downloadfusion      

 

VMware Tools 10.0.6

------------------------------

Downloads:

https://my.vmware.com/web/vmware/details?downloadGroup=VMTOOLS1006&productId=491   

Documentation:  

http://pubs.vmware.com/Release_Notes/en/vmwaretools/1006/vmware-tools-1006-release-notes.html

 

5. References

 

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5330  

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5331

 

6. Change log

 

2016-08-04 VMSA-2016-0010 Initial security advisory in conjunction with the release of VMware ESXi 5.5 patches on 2016-08-04.

 

2016-09-19 VMSA-2016-0010.1

Updated security advisory to clarify the affected versions of VMware tools.

 

7. Contact

 

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

[email protected]

[email protected]

[email protected]

 

E-mail: [email protected]

PGP key at: https://kb.vmware.com/kb/1055

 

VMware Security Advisories

http://www.vmware.com/security/advisories

 

Consolidated list of VMware Security Advisories

http://kb.vmware.com/kb/2078735

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2016 VMware Inc. All rights reserved.