Executive Summary

Summary
Title VMware Workstation update addresses multiple security issues
Informations
Name VMSA-2017-0003 First vendor Publication 2017-03-09
Vendor VMware Last vendor Modification 2017-03-09
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 6.9 Attack Range Local
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 3.4 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

a. VMware Workstation DLL loading vulnerability

VMware Workstation Pro/Player contains a DLL loading vulnerability that occurs due to the "vmware-vmx" process loading DLLs from a path defined in the local environment-variable.Successful exploitation of this issue may allow normal users to escalate privileges to System in the host machine where VMware Workstation is installed.

VMware would like to thank Ivil for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4898 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

b. VMware Workstation SVGA driver vulnerability

VMware Workstation Pro/Player contains a security vulnerability that exists in the SVGA driver. An attacker may exploit this issue to crash the VM or trigger an out-of-bound read.

Note: This issue can be triggered only when the host has no graphics card or no graphics drivers are installed.

VMware would like to thank Marco Grassi (@marcograss) of KeenLab (@keen_lab) Tencent for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4899 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

c. VMware Workstation NULL pointer dereference vulnerability

VMware Workstation Pro/Player contains a NULL pointer dereference vulnerability that exists in the SVGA driver. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs.

VMware would like to thank Saar Amar(@AmarSaar) for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4900 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

Original Source

Url : http://www.vmware.com/security/advisories/VMSA-2017-0003.html

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-476 NULL Pointer Dereference
50 % CWE-125 Out-of-bounds Read

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 6
Application 6

Nessus® Vulnerability Scanner

Date Description
2017-03-20 Name : A virtualization application installed on the remote host is affected by mult...
File : vmware_workstation_multiple_vmsa_2017_0003.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2017-06-13 21:24:14
  • Multiple Updates
2017-06-13 17:22:27
  • Multiple Updates
2017-06-08 00:24:29
  • Multiple Updates
2017-03-21 13:25:55
  • Multiple Updates
2017-03-10 05:23:08
  • First insertion