-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0041
       VMware ESXi, Workstation, Player, and Fusion updates address
            important guest privilege escalation vulnerability
                              8 January 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware ESXi
                   VMware Workstation Player
                   VMware Fusion
Publisher:         VMWare
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
                   VMware ESX Server
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-6933  

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2016-0001.html

- --------------------------BEGIN INCLUDED TEXT--------------------

VMSA-2016-0001

VMware ESXi, Fusion, Player, and Workstation updates address important guest 
privilege escalation vulnerability

VMware Security Advisory

Advisory ID: VMSA-2016-0001

Synopsis: VMware ESXi, Fusion, Player, and Workstation updates address 
important guest privilege escalation vulnerability

Issue date: 2016-01-07

Updated on: 2016-01-07 (Initial Advisory)

CVE numbers: CVE-2015-6933

1. Summary

VMware ESXi, Fusion, Player, and Workstation updates address important guest 
privilege escalation vulnerability

2. Relevant Releases

VMware ESXi 6.0 without patch ESXi600-201512102-SG

VMware ESXi 5.5 without patch ESXi550-201512102-SG

VMware ESXi 5.1 without patch ESXi510-201510102-SG

VMware ESXi 5.0 without patch ESXi500-201510102-SG

VMware Workstation prior to 11.1.2

VMware Player prior to 7.1.2

VMware Fusion prior to 7.1.2

3. Problem Description

Important Windows-based guest privilege escalation in VMware Tools

A kernel memory corruption vulnerability is present in the VMware Tools 
"Shared Folders" (HGFS) feature running on Microsoft Windows. Successful 
exploitation of this issue could lead to an escalation of privilege in the 
guest operating system.

VMware would like to thank Dmitry Janushkevich from the Secunia Research Team
for reporting this issue to us.

Note: This vulnerability does not allow for privilege escalation from the 
guest operating system to the host. Host memory can not be manipulated from 
the guest operating system by exploiting this flaw.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifier CVE-2015-6933 to this issue.

Workarounds

Removing the "Shared Folders" (HGFS) feature from previously installed VMware
Tools will remove the possibility of exploitation.

Column 4 of the following table lists the action required to remediate the 
vulnerability in each release, if a solution is available.

VMware Product		Product Version	Running on	Replace with/ Apply Patch*

VMware ESXi 		6.0 		ESXi 		ESXi600-201512102-SG**

VMware ESXi 		5.5 		ESXi 		ESXi550-201512102-SG**

VMware ESXi 		5.1 		ESXi 		ESXi510-201510102-SG**

VMware ESXi 		5.0 		ESXi 		ESXi500-201510102-SG**

VMware Workstation 	12.x.x 		Any 		not affected

VMware Workstation 	11.x.x 		Any 		11.1.2

VMware Player 		12.x.x 		Any 		not affected

VMware Player 		7.x.x 		Any 		7.1.2

VMware Fusion 		8.x.x 		OSX 		not affected

VMware Fusion 		7.x.x 		OSX 		7.1.2

*After the update or patch is applied, VMware Tools must also be updated in 
any Windows-based guests that include the "Shared Folders" (HGFS) feature to 
resolve CVE-2015-6933.

**VMware Tools installations initiated via vSphere (ESXi/vCenter) do not 
include the affected "Shared Folders" (HGFS) feature unless a "Complete" 
feature set was specified during the initial installation.

4. Solution

Please review the patch/release notes for your product and version and verify
the checksum of your downloaded file.

VMware ESXi 6.0

Downloads: https://www.vmware.com/patchmgr/findPatch.portal

Documentation: http://kb.vmware.com/kb/2135123

VMware ESXi 5.5

Downloads: https://www.vmware.com/patchmgr/findPatch.portal

Documentation: http://kb.vmware.com/kb/2135796

VMware ESXi 5.1

Downloads: https://www.vmware.com/patchmgr/findPatch.portal

Documentation: http://kb.vmware.com/kb/2126488

VMware ESXi 5.0

Downloads: https://www.vmware.com/patchmgr/findPatch.portal

Documentation: http://kb.vmware.com/kb/2120210

VMware Workstation 11.1.2

Downloads and Documentation: https://www.vmware.com/go/downloadworkstation

VMware Player 7.1.2

Downloads and Documentation: https://www.vmware.com/go/downloadplayer

VMware Fusion 7.1.2

https://www.vmware.com/go/downloadfusion

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6933

6. Change log

2016-01-07 VMSA-2016-0001 Initial security advisory in conjunction with the 
release of VMware ESXi 6.0 patches on 2016-01-07.

7. Contact

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce at lists.vmware.com

bugtraq at securityfocus.com

fulldisclosure at seclists.org

E-mail: security at vmware.com

PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories

http://www.vmware.com/security/advisories

Consolidated list of VMware Security Advisories

http://kb.vmware.com/kb/2078735

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

Twitter

https://twitter.com/VMwareSRC

Copyright 2016 VMware Inc. All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVo8ow36ZAP0PgtI9AQKd4w//XyIPkDtKMIqnGWVY6FVU6JhbDealshcf
LXnBq8i3Z5UcdrHmR5sEJwP77weUwYpF3ec+CyxX/WlH5tyGY/ji/lZZeMZgyEuG
iNRNCEvcWwtc2DnKA/3bF4myN66DOCDFjP1deNJL0EW2+DEEo8OWZid7qPWIPjgL
SrYkB9YVm/UvzpgGD8e4X5D6XziJRLz7egOrB9r9+1ViBFJP5/fibKnnDbZwJ6Hz
nKBJjEXfBxN9EuVkVdxUxG2+b4bD9ND2kayerErUMxEM9XVCY2lr4yGRiL6vNnGe
XFA8snbNv66QBubXGqu9AWUs14QaBTU66zfIG+Xevbb+rzCXSb1cLcCFwxcwDyLN
+mP+sguQV8uHefhPYlPWDc0f9YEZKts/JCswIVuBvkNR3ZrmDNXyp0ouZuPaw86+
FnmLHiyKFgmfYUqEYgS+KixjFDa/V1UsmlydJLBmbD8K3O+y/AYmVgnF+FCj5naY
Pv22m/kvZwdodqIU6ywOsddKA/FlNS6BRb/OfcdGAh4orH+cP9bUeRi+8Kj/kTw7
ukvqhnqXhrEIBv1rSw3r8/nJnJn+zurEXlFeztD/2W76lUlku3y7EZjQbxFSJd+z
CGpey2gQjnvBhIgnqUDh+Ey2WqSk/zX3SXii9OMaFxGqZMsR30hDbLAuu5wNaCpT
DhcRu11ua3w=
=2BCt
-----END PGP SIGNATURE-----