VMSA-2017-0018.1

VMware Workstation, Fusion and Horizon View Client updates resolve multiple security vulnerabilities

1. Summary

VMware Workstation, Fusion and Horizon View Client updates resolve multiple security vulnerabilities

2. Relevant Products

• VMware Workstation Pro / Player (Workstation) 
• VMware Fusion Pro / Fusion (Fusion)

3. Problem Description

a. Heap buffer-overflow vulnerability in VMNAT device

VMware Workstation and Fusion contain a heap buffer-overflow vulnerability in VMNAT device. This issue may allow a guest to execute code on the host.

VMware would like to thank Jun Mao of Tencent PC Manager working with Trend Micro's Zero Day Initiative for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4934 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

b. Out-of-bounds write via Cortado ThinPrint

VMware Workstation and Horizon View Client contain an out-of-bounds write vulnerability in JPEG2000 parser in the TPView.dll.   

On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon  View Client.      

Exploitation is only possible if virtual printing has been enabled.  This feature is not enabled by default on Workstation but it is enabled by default on Horizon View Client. 

VMware would like to thank Anonymous working with Trend Micro's Zero Day Initiative for reporting this issue to us.  

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4935 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

c. Multiple out-of-bounds read issues via Cortado ThinPrint

VMware Workstation and Horizon View Client contain multiple out-of-bounds read vulnerabilities in JPEG2000 parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client.   

Exploitation is only possible if virtual printing has been enabled.  This feature is not enabled by default on Workstation but it is enabled by default on Horizon View.      

VMware would like to thank Ke Liu of Tencent's Xuanwu Lab for reporting these issues to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-4936 (JPEG2000 Issue-1) and CVE-2017-4937 (JPEG2000 Issue-2) to these issues.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

d. Guest RPC NULL pointer dereference vulnerability

VMware Workstation and Fusion contain a guest RPC NULL pointer dereference vulnerability. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs.

VMware would like to thank Skyer for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4938 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

e. Workstation installer DLL hijacking issue  

Workstation installer contains a DLL hijacking issue that exists due to some DLL files loaded by the application improperly. This issue may allow an attacker to load a DLL file of the attacker's choosing that could execute arbitrary code.   

VMware would like to thank Björn Ruytenberg for reporting this issue to us.       

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4939 to this issue.         

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

VMware Horizon View Client 4.6.1

Downloads and Documentation:

https://my.vmware.com/web/vmware/details?downloadGroup=CART18FQ3_WIN_461&productId=578&rPId=18817

VMware Workstation Pro 12.5.8

Downloads and Documentation:

https://www.vmware.com/go/downloadworkstation  

https://www.vmware.com/support/pubs/ws_pubs.html

VMware Workstation Player 12.5.8

Downloads and Documentation:

https://www.vmware.com/go/downloadplayer

https://www.vmware.com/support/pubs/player_pubs.html

VMware Fusion Pro / Fusion 8.5.9

Downloads and Documentation:

https://www.vmware.com/go/downloadfusion

https://www.vmware.com/support/pubs/fusion_pubs.html

5. References

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4934

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4935

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4936

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4937

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4938   

          http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4939        

6. Change log

2017-11-16 VMSA-2017-0018

Initial security advisory in conjunction with the release of VMware Workstation 12.5.8 and Fusion 8.5.9 on 2017-11-16.

2017-11-17 VMSA-2017-0018.1   

Updated security advisory to add issue 3(e).

7. Contact

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

[email protected]

[email protected]

[email protected]

E-mail: [email protected]

PGP key at: https://kb.vmware.com/kb/1055

VMware Security Advisories

http://www.vmware.com/security/advisories

Consolidated list of VMware Security Advisories

http://kb.vmware.com/kb/2078735

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

Twitter

https://twitter.com/VMwareSRC

Copyright 2017 VMware Inc. All rights reserved.