Executive Summary

Summary
Title- VMware ESXi, Workstation, Fusion, and Tools updates address multiple security issues
Informations
NameVMSA-2016-0014First vendor Publication2016-09-13
VendorVMwareLast vendor Modification2016-09-13
Severity (Vendor) N/ARevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score7.2Attack RangeLocal
Cvss Impact Score10Attack ComplexityLow
Cvss Expoit Score3.9AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

a. VMware Workstation heap-based buffer overflow vulnerabilities via Cortado ThinPrint

VMware Workstation contains vulnerabilities that may allow a Windows-based Virtual Machine (VM) to trigger a heap-based buffer overflow. Exploitation of these issues may lead to arbitrary code execution in VMware Workstation running on Windows.

Exploitation is only possible if virtual printing has been enabled in VMware Workstation. This feature is not enabled by default. VMware Knowledge Base article 2146810 documents the procedure for enabling and disabling this feature.

VMware would like to thank E0DB6391795D7F629B5077842E649393 working with Trend Micro's Zero Day Initiative for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-7081 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

b. VMware Workstation memory corruption vulnerabilities via Cortado Thinprint

VMware Workstation contains vulnerabilities that may allow a Windows-based virtual machine (VM) to corrupt memory. This includes improper handling of EMF files (CVE-2016-7082), TrueType fonts embedded in EMFSPOOL (CVE-2016-7083), and JPEG2000 images (CVE-2016-7084) in tpview.dll. Exploitation of these issues may lead to arbitrary code execution in VMware Workstation running on Windows.

Exploitation is only possible if virtual printing has been enabled in VMware Workstation. This feature is not enabled by default. VMware Knowledge Base article 2146810 documents the procedure for enabling and disabling this feature.

VMware would like to thank Mateusz Jurczyk of Google's Project Zero for reporting these issues to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2016-7082, CVE-2016-7083, and CVE-2016-7084 to these issues.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

c. VMware Tools NULL pointer dereference vulnerabilities

The graphic acceleration functions used in VMware Tools for OSX handle memory incorrectly. Two resulting NULL pointer dereference vulnerabilities may allow for local privilege escalation on Virtual Machines that run OSX.

The issues can be remediated by installing a fixed version of VMware Tools on affected OSX VMs directly. Alternatively the fixed version of Tools can be installed through ESXi or Fusion after first updating to a version of ESXi or Fusion that ships with a fixed version of VMware Tools.

VMware would like to thank Dr. Fabien Duchene "FuzzDragon" and Jian Zhu for independently reporting these issues to VMware.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2016-7079 and CVE-2016-7080 to these issues.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

d. VMware Workstation installer DLL hijacking issue

Workstation installer contains a DLL hijacking issue that exists due to some DLL files loaded by the application improperly. This issue may allow an attacker to load a DLL file of the attacker's choosing that could execute arbitrary code.

VMware would like to thank Stefan Kantha, Anand Bhat, and Himanshu Mehta for independantly reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-7085 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

e. VMware Workstation installer insecure executable loading vulnerability

Workstation installer contains an insecure executable loading vulnerability that may allow an attacker to execute an exe file placed in the same directory as installer with the name "setup64.exe". Successfully exploiting this issue may allow attackers to execute arbitrary code.

VMware would like to thank Adam Bridge for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-7086 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

Original Source

Url : http://www.vmware.com/security/advisories/VMSA-2016-0014.html

CWE : Common Weakness Enumeration

%idName
50 %CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer
25 %CWE-476NULL Pointer Dereference
12 %CWE-426Untrusted Search Path
12 %CWE-264Permissions, Privileges, and Access Controls

CPE : Common Platform Enumeration

TypeDescriptionCount
Application25
Application4
Application4
Os1
Os1

Nessus® Vulnerability Scanner

DateDescription
2016-09-15Name : A virtualization application installed on the remote Mac OS X host is affecte...
File : macosx_fusion_vmsa_2016_0014.nasl - Type : ACT_GATHER_INFO
2016-09-15Name : A virtualization application installed on the remote Mac OS X host is affecte...
File : macosx_vmware_tools_vmsa_2016_0014.nasl - Type : ACT_GATHER_INFO
2016-09-15Name : The remote VMware ESXi host is missing a security-related patch.
File : vmware_VMSA-2016-0014.nasl - Type : ACT_GATHER_INFO
2016-09-15Name : A virtualization application installed on the remote host is affected by mult...
File : vmware_workstation_multiple_vmsa_2016_0014.nasl - Type : ACT_GATHER_INFO
2016-02-19Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2016-0014.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
DateInformations
2016-12-29 21:25:16
  • Multiple Updates
2016-12-29 13:22:01
  • Multiple Updates
2016-09-16 13:24:48
  • Multiple Updates
2016-09-13 21:24:05
  • First insertion