7.2 - VMSA-2017-0018

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	- VMware Workstation, Fusion and Horizon View Client updates resolve multiple security vulnerabilities

Informations
Name	VMSA-2017-0018	First vendor Publication	2017-11-16
Vendor	VMware	Last vendor Modification	2017-11-16
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	7.2	Attack Range	Local
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	3.9	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

a. Heap buffer-overflow vulnerability in VMNAT device

VMware Workstation and Fusion contain a heap buffer-overflow vulnerability in VMNAT device. This issue may allow a guest to execute code on the host.

VMware would like to thank Jun Mao of Tencent PC Manager working with ZDI for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4934 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

b. Out-of-bounds write via Cortado ThinPrint

VMware Workstation and Horizon View Client contain an out-of-bounds write vulnerability in JPEG2000 parser in the TPView.dll.

On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client.

Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View Client.

VMware would like to thank Anonymous working with ZDI for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4935 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

c. Multiple out-of-bounds read issues via Cortado ThinPrint

VMware Workstation and Horizon View Client contain multiple out-of-bounds read vulnerabilities in JPEG2000 parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client.

Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View.

VMware would like to thank Ke Liu of Tencent's Xuanwu Lab for reporting these issues to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-4936 (JPEG2000 Issue-1) and CVE-2017-4937 (JPEG2000 Issue-2) to these issues.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

d. Guest RPC NULL pointer dereference vulnerability

VMware Workstation and Fusion contain a guest RPC NULL pointer dereference vulnerability. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs.

VMware would like to thank Skyer for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4938 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

Original Source

Url : http://www.vmware.com/security/advisories/VMSA-2017-0018.html

CWE : Common Weakness Enumeration

%	Id	Name
33 %	CWE-125	Out-of-bounds Read
17 %	CWE-787	Out-of-bounds Write (CWE/SANS Top 25)
17 %	CWE-476	NULL Pointer Dereference
17 %	CWE-426	Untrusted Search Path
17 %	CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

Type	Description	Count
Application	Vmware Fusion cpe:2.3:a:vmware:fusion:8.5.8:::::::* cpe:2.3:a:vmware:fusion:8.5.7:::::::* cpe:2.3:a:vmware:fusion:8.5.6:::::::* cpe:2.3:a:vmware:fusion:8.5.5:::::::* cpe:2.3:a:vmware:fusion:8.5.4:::::::* cpe:2.3:a:vmware:fusion:8.5.3:::::::* cpe:2.3:a:vmware:fusion:8.5.2:::::::* cpe:2.3:a:vmware:fusion:8.5.1:::::::* cpe:2.3:a:vmware:fusion:8.5.0:::::::* cpe:2.3:a:vmware:fusion:8.1.1:::::::* cpe:2.3:a:vmware:fusion:8.1.0:::::::* cpe:2.3:a:vmware:fusion:8.0.2:::::::* cpe:2.3:a:vmware:fusion:8.0.1:::::::* cpe:2.3:a:vmware:fusion:8.0.0:::::::*	14
Application	Vmware Horizon View cpe:2.3:a:vmware:horizon_view:4.6:::::windows:: cpe:2.3:a:vmware:horizon_view:4.5:::::windows:: cpe:2.3:a:vmware:horizon_view:4.4:::::windows:: cpe:2.3:a:vmware:horizon_view:4.3:::::windows:: cpe:2.3:a:vmware:horizon_view:4.2:::::windows:: cpe:2.3:a:vmware:horizon_view:4.1:::::windows:: cpe:2.3:a:vmware:horizon_view:4.0.1:::::windows:: cpe:2.3:a:vmware:horizon_view:4.0.0:::::windows::	8
Application	Vmware Workstation cpe:2.3:a:vmware:workstation:12.5.7:::::::* cpe:2.3:a:vmware:workstation:12.5.6:::::::* cpe:2.3:a:vmware:workstation:12.5.5:::::::* cpe:2.3:a:vmware:workstation:12.5.4:::::::* cpe:2.3:a:vmware:workstation:12.5.3:::::::* cpe:2.3:a:vmware:workstation:12.5.2:::::::* cpe:2.3:a:vmware:workstation:12.5.1:::::::* cpe:2.3:a:vmware:workstation:12.5.0:::::::* cpe:2.3:a:vmware:workstation:12.5:::::::* cpe:2.3:a:vmware:workstation:12.1.1:::::::* cpe:2.3:a:vmware:workstation:12.1:::::::* cpe:2.3:a:vmware:workstation:12.0.1:::::::* cpe:2.3:a:vmware:workstation:12.0.0:::::::*	13

Nessus® Vulnerability Scanner

Date	Description
2017-11-29	Name : A virtualization application installed on the remote macOS or Mac OS X host i... File : macosx_fusion_vmsa_2017_0018.nasl - Type : ACT_GATHER_INFO
2017-11-29	Name : A virtualization application installed on the remote host is affected by mult... File : vmware_horizon_view_client_vmsa_2017_0018.nasl - Type : ACT_GATHER_INFO
2017-11-29	Name : A virtualization application installed on the remote Windows host is affected... File : vmware_workstation_win_vmsa_2017_0018.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2017-12-03 21:23:54	Multiple Updates
2017-11-30 13:23:42	Multiple Updates
2017-11-17 17:23:28	Multiple Updates
2017-11-17 09:21:36	First insertion

Global Informations

Type	Count
CWE ID(s)	6
CPE ID(s)	35
Nessus® Exploit(s)	3

	Related
8.8	CVE-2017-4934
7.8	CVE-2017-4939
7.8	CVE-2017-4937
7.8	CVE-2017-4936
7.8	CVE-2017-4935
6.5	CVE-2017-4938
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 6 more Alert(s)

7.2 - VMSA-2017-0018

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

CPE : Common Platform Enumeration

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU