Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2166.2 VMware Security Advisory 2 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware ESXi VMware Workstation Pro VMware Workstation Player VMware Fusion VMware Tools Publisher: VMWare Operating System: Windows UNIX variants (UNIX, Linux, OSX) VMware ESX Server Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Increased Privileges -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-7086 CVE-2016-7085 CVE-2016-7084 CVE-2016-7083 CVE-2016-7082 CVE-2016-7081 CVE-2016-7080 CVE-2016-7079 Original Bulletin: https://www.vmware.com/us/security/advisories/VMSA-2016-0014.html Revision History: January 2 2018: Updated affected versions and resolution for CVE-2016-7082 September 15 2016: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2016-0014.1 Severity: Critical Synopsis: VMware ESXi, Workstation, Fusion, & Tools updates address multiple security issues Issue date: 2016-09-13 Updated on: 2017-12-21 CVE number: CVE-2016-7081,CVE-2016-7082,CVE-2016-7083,CVE-2016-7084, CVE-2016-7079,CVE-2016-7080,CVE-2016-7085,CVE-2016-7086 1. Summary VMware ESXi, Workstation, Fusion, and Tools updates address multiple security issues 2. Relevant Products ESXi VMware Workstation Pro VMware Workstation Player VMware Fusion VMware Tools 3. Problem Description a. VMware Workstation heap-based buffer overflow vulnerabilities via Cortado ThinPrint VMware Workstation contains vulnerabilities that may allow a windows -based virtual machine (VM) to trigger heap-based buffer overflows in the windows-based hypervisor running VMware workstation that the VM resides on. Exploitation of this issue may lead to arbitrary code execution in the hypervisor OS. Exploitation is only possible if virtual printing has been enabled in VMware Workstation. This feature is not enabled by default. VMware Knowledge Base article 2146810 documents the procedure for enabling and disabling this feature. VMware would like to thank E0DB6391795D7F629B5077842E649393 working with Trend Micro's Zero Day Initiative for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-7081 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Severity Apply Patch** Workaround =============== ======= ======= ======== ============= ========== Workstation Pro 12.x Windows Critical 12.5.0 KB2146810 Workstation Pro 12.x Linux N/A not affected N/A Workstation Player 12.x Windows Critical 12.5.0 KB2146810 Workstation Player 12.x Linux N/A not affected N/A b. VMware Workstation memory corruption vulnerabilities via Cortado Thinprint VMware Workstation contains vulnerabilities that may allow a windows -based virtual machine (VM) to corrupt memory in the windows-based hypervisor running VMware workstation that the VM resides on. These include TrueType fonts embedded in EMFSPOOL (CVE-2016-7083), and JPEG2000 images (CVE-2016-7084) in tpview.dll. Exploitation of these issues may lead to arbitrary code execution in the hypervisor OS. Exploitation is only possible if virtual printing has been enabled in VMware Workstation. This feature is not enabled by default. VMware Knowledge Base article 2146810 documents the procedure for enabling and disabling this feature. VMware would like to thank Mateusz Jurczyk of Google's Project Zero for reporting these issues to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2016-7083, and CVE-2016-7084 to these issues. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Severity Apply Patch Workaround =============== ======= ======= ======== ============= ========== Workstation Pro 12.x Windows Critical 12.5.0 N/A Workstation Pro 12.x Linux N/A not affected N/A Workstation Player 12.x Windows Critical 12.5.0 N/A Workstation Player 12.x Linux N/A not affected N/A c. VMware Tools NULL pointer dereference vulnerabilities The graphic acceleration functions used in VMware Tools for OSX handle memory incorrectly. Two resulting NULL pointer dereference vulnerabilities may allow for local privilege escalation on Virtual Machines that run OSX. The issues can be remediated by installing a fixed version of VMware Tools on affected OSX VMs directly. Alternatively the fixed version of Tools can be installed through ESXi or Fusion after first updating to a version of ESXi or Fusion that ships with a fixed version of VMware Tools. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2016-7079 and CVE-2016-7080 to these issues. VMware would like to thank Dr. Fabien Duchene "FuzzDragon" and Jian Zhu for independently reporting these issues to VMware. VMware Product Running Replace with/ Product Version on Severity Apply Patch Workaround ============ ========= ======= ======== =================== ========== VMware Tools 10.x, 9.x Windows N/A not affected N/A VMware Tools 10.x, 9.x Linux N/A not affected N/A VMware Tools 10.x, 9.x OSX Important 10.0.9* None *VMware Tools 10.0.9 can be downloaded independently and is included in the following: -ESXi 6.0 patch ESXi600-201608403-BG -ESXi 5.5 patch ESXi550-201608102-SG -Fusion 8.5.0 d. VMware Workstation installer DLL hijacking issue Workstation Pro/Player installer contains a DLL hijacking issue that exists due to some DLL files loaded by the application improperly. This issue may allow an unauthenticated remote attacker to load this DLL file of the attacker's choosing that could execute arbitrary code. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware would like to thank Anand Bhat and Himanshu Mehta for individually reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-7085 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Severity Apply Patch Workaround =============== ======= ======= ======== ============= ========== Workstation Pro 12.x Windows Important 12.5.0 None Workstation Pro 12.x Linux N/A not affected N/A Workstation Player 12.x Windows Important 12.5.0 None Workstation Player 12.x Linux N/A not affected N/A e. VMware Workstation installer insecure executable loading vulnerability Workstation installer contains an insecure executable loading vulnerability that may allow an attacker to execute any exe file placed in the same directory as installer with the name "setup64.exe".Successfully exploiting this issue may allow attackers to escalate their privileges and execute arbitrary code. VMware would like to thank Adam Bridge for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-7086 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Severity Apply Patch Workaround =============== ======= ======= ======== ============= ========== Workstation Pro 12.x Windows Important 12.5.0 None Workstation Pro 12.x Linux N/A not affected N/A Workstation Player 12.x Windows Important 12.5.0 None Workstation Player 12.x Linux N/A not affected N/A f. Workstation EMF file handling memory corruption vulnerability via Cortado ThinPrint VMware Workstation contains a vulnerability that may allow a Windows -based virtual machine (VM) to corrupt memory. This issue occurs due to improper handling of EMF files in tpview.dll. Exploitation of this issue may lead to arbitrary code execution in the hypervisor OS. The severity of this issue has changed to Low from Critical as the exploitation of the issue requires a custom registry value to be added on the host machine. Exploitation is only possible if virtual printing has been enabled in VMware Workstation. This feature is not enabled by default. VMware Knowledge Base article 2146810 documents the procedure for enabling and disabling this feature. VMware would like to thank Mateusz Jurczyk of Google's Project Zero and Yakun Zhang of McAfee for individually reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-7082 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Severity Apply Patch Workaround ================== ======== ======= ======== ============= ========== Workstation Player 14.x Windows Low 14.1.0 None Workstation Player 14.x Linux N/A not affected N/A Workstation Pro 14.x Windows Low 14.1.0 None Workstation Pro 14.x Linux N/A not affected N/A Workstation Player 12.x Windows Low no patch planned None Workstation Player 12.x Linux N/A not affected N/A Workstation Pro 12.x Windows Low no patch planned None Workstation Pro 12.x Linux N/A not affected N/A 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware ESXi 6.0 Downloads: https://www.vmware.com/patchmgr/findPatch.portal Documentation: https://kb.vmware.com/kb/2145816 VMware ESXi 5.5 Downloads: https://www.vmware.com/patchmgr/findPatch.portal Documentation: https://kb.vmware.com/kb/2144370 VMware Workstation Pro 12.5.0 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation VMware Workstation Player 12.5.0 Downloads and Documentation: https://www.vmware.com/go/downloadplayer VMware Fusion 8.5.0 Downloads and Documentation: https://www.vmware.com/go/downloadfusion VMware Tools 10.0.9 Downloads and Documentation: https://my.vmware.com/web/vmware/details?productId=491&downloadGroup=VMTOOL S1009 VMware Workstation Pro 14.1.0 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://www.vmware.com/support/pubs/ws_pubs.html VMware Workstation Player 14.1.0 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://www.vmware.com/support/pubs/player_pubs.html 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7082 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7083 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7084 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7080 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7085 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7086 https://kb.vmware.com/kb/2146810 - - ------------------------------------------------------------------------ 6. Change log 2016-09-13 VMSA-2016-0014 Initial security advisory in conjunction with the release of VMware Workstation 12.5.0 on 2016-09-13. 2017-12-21 VMSA-2016-0014.1 Updated affected versions and resolution for CVE-2016-7082 and moved this CVE to its own section i.e. 3f. - - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2016 VMware Inc. All rights reserved. - -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.4.1 (Build 490) Charset: utf-8 wj8DBQFaPJsSDEcm8Vbi9kMRAis+AKCNQLB3rwWNlaTh90t3CfvJYBjiGQCeO8LC La1UFYAn/y6Qfqomp7JfgHo= =0xhk - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWkq+KYx+lLeg9Ub1AQjM0Q/+P8FMMbdRZhDViWDFpu57gbv8aUM4GbZe XDKcXIAEC2rmkdJGN+sOO3kEsATWp+0sr1uqKL9/KgY1tZ3FE7PDg2WQdIyTDW+w f2t+m3g9yPzF5VHPx/TA0uyOE76KwrYejRG5nXm4JqKwcab15jXhWrYvwIWjKHbq tYeo+CKH5TkB2mnLOVxgESqnN58uJl9HsnCX6Maj8bwRAAWnrUXn3fBoldVumSoU Ba1MC4z7qIzFwZjYh8IeMXRCZJ85KuMrEtftMcaSRx9MOh6R5rLLrnYNSxzfeZNl FRpTcAE7zHKe4Cih5YdaSv7K+qWtItpnxHCHTQRCBZUII6d/oG1g4hqMKLydxGmp rqt9yOCYbodXgSiH0nbvno89+Yn/InlGnVFxTtKZ4guLhWnhCSJxM5eBM9hWFLG4 dq5G3s4PfLA4maSEPuRIbcVrULf5cnTCb+mWynRxVJz8xLuD/wLn5aCD7x6y4l44 /dHk6+70xPdfutUjghVFZp3yOaOvZWPC8u0zWJ8fDQZzZpFh+sH7WyCg/jBiudtf vXzkdpg+FwHSpfum3jusP3pfYwDjWaROKVknu17ZlSzDfO6v1MbBs0SOrFIl7UJ5 TrpqG80AkzZXATzgZLrTm12I3lCzK9kQh5IVMS5yr1/0tNWIUeGwYRLyIMGoqOly tkwpVICrgII= =yCuQ -----END PGP SIGNATURE-----