Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2166.2
VMware Security Advisory
2 January 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware ESXi
VMware Workstation Pro
VMware Workstation Player
VMware Fusion
VMware Tools
Publisher: VMWare
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
VMware ESX Server
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Increased Privileges -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-7086 CVE-2016-7085 CVE-2016-7084
CVE-2016-7083 CVE-2016-7082 CVE-2016-7081
CVE-2016-7080 CVE-2016-7079
Original Bulletin:
https://www.vmware.com/us/security/advisories/VMSA-2016-0014.html
Revision History: January 2 2018: Updated affected versions and resolution for CVE-2016-7082
September 15 2016: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -----------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2016-0014.1
Severity: Critical
Synopsis: VMware ESXi, Workstation, Fusion, & Tools updates address
multiple security issues
Issue date: 2016-09-13
Updated on: 2017-12-21
CVE number: CVE-2016-7081,CVE-2016-7082,CVE-2016-7083,CVE-2016-7084,
CVE-2016-7079,CVE-2016-7080,CVE-2016-7085,CVE-2016-7086
1. Summary
VMware ESXi, Workstation, Fusion, and Tools updates address multiple
security issues
2. Relevant Products
ESXi
VMware Workstation Pro
VMware Workstation Player
VMware Fusion
VMware Tools
3. Problem Description
a. VMware Workstation heap-based buffer overflow vulnerabilities via
Cortado ThinPrint
VMware Workstation contains vulnerabilities that may allow a windows
-based virtual machine (VM) to trigger heap-based buffer overflows
in the windows-based hypervisor running VMware workstation that the
VM resides on. Exploitation of this issue may lead to arbitrary code
execution in the hypervisor OS.
Exploitation is only possible if virtual printing has been enabled
in VMware Workstation. This feature is not enabled by default.
VMware Knowledge Base article 2146810 documents the procedure for
enabling and disabling this feature.
VMware would like to thank E0DB6391795D7F629B5077842E649393 working
with Trend Micro's Zero Day Initiative for reporting this issue to
us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-7081 to this issue.
Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Severity Apply Patch** Workaround
=============== ======= ======= ======== ============= ==========
Workstation Pro 12.x Windows Critical 12.5.0 KB2146810
Workstation Pro 12.x Linux N/A not affected N/A
Workstation Player 12.x Windows Critical 12.5.0 KB2146810
Workstation Player 12.x Linux N/A not affected N/A
b. VMware Workstation memory corruption vulnerabilities via Cortado
Thinprint
VMware Workstation contains vulnerabilities that may allow a windows
-based virtual machine (VM) to corrupt memory in the windows-based
hypervisor running VMware workstation that the VM resides on. These
include TrueType fonts embedded in EMFSPOOL (CVE-2016-7083), and
JPEG2000 images (CVE-2016-7084) in tpview.dll. Exploitation of these
issues may lead to arbitrary code execution in the hypervisor OS.
Exploitation is only possible if virtual printing has been enabled
in VMware Workstation. This feature is not enabled by default.
VMware Knowledge Base article 2146810 documents the procedure for
enabling and disabling this feature.
VMware would like to thank Mateusz Jurczyk of Google's Project Zero
for reporting these issues to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifiers CVE-2016-7083, and CVE-2016-7084 to these
issues.
Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Severity Apply Patch Workaround
=============== ======= ======= ======== ============= ==========
Workstation Pro 12.x Windows Critical 12.5.0 N/A
Workstation Pro 12.x Linux N/A not affected N/A
Workstation Player 12.x Windows Critical 12.5.0 N/A
Workstation Player 12.x Linux N/A not affected N/A
c. VMware Tools NULL pointer dereference vulnerabilities
The graphic acceleration functions used in VMware Tools for OSX
handle memory incorrectly. Two resulting NULL pointer dereference
vulnerabilities may allow for local privilege escalation on Virtual
Machines that run OSX.
The issues can be remediated by installing a fixed version of VMware
Tools on affected OSX VMs directly. Alternatively the fixed version
of Tools can be installed through ESXi or Fusion after first
updating to a version of ESXi or Fusion that ships with a fixed
version of VMware Tools.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifiers CVE-2016-7079 and CVE-2016-7080 to these
issues.
VMware would like to thank Dr. Fabien Duchene "FuzzDragon" and Jian
Zhu for independently reporting these issues to VMware.
VMware Product Running Replace with/
Product Version on Severity Apply Patch Workaround
============ ========= ======= ======== =================== ==========
VMware Tools 10.x, 9.x Windows N/A not affected N/A
VMware Tools 10.x, 9.x Linux N/A not affected N/A
VMware Tools 10.x, 9.x OSX Important 10.0.9* None
*VMware Tools 10.0.9 can be downloaded independently and is included
in the following:
-ESXi 6.0 patch ESXi600-201608403-BG
-ESXi 5.5 patch ESXi550-201608102-SG
-Fusion 8.5.0
d. VMware Workstation installer DLL hijacking issue
Workstation Pro/Player installer contains a DLL hijacking issue that
exists due to some DLL files loaded by the application improperly.
This issue may allow an unauthenticated remote attacker to load this
DLL file of the attacker's choosing that could execute arbitrary
code.
Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware would like to thank Anand Bhat and Himanshu Mehta for
individually reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-7085 to this issue.
Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Severity Apply Patch Workaround
=============== ======= ======= ======== ============= ==========
Workstation Pro 12.x Windows Important 12.5.0 None
Workstation Pro 12.x Linux N/A not affected N/A
Workstation Player 12.x Windows Important 12.5.0 None
Workstation Player 12.x Linux N/A not affected N/A
e. VMware Workstation installer insecure executable loading
vulnerability
Workstation installer contains an insecure executable loading
vulnerability that may allow an attacker to execute any exe file
placed in the same directory as installer with the name
"setup64.exe".Successfully exploiting this issue may allow attackers
to escalate their privileges and execute arbitrary code.
VMware would like to thank Adam Bridge for reporting this issue to
us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-7086 to this issue.
Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Severity Apply Patch Workaround
=============== ======= ======= ======== ============= ==========
Workstation Pro 12.x Windows Important 12.5.0 None
Workstation Pro 12.x Linux N/A not affected N/A
Workstation Player 12.x Windows Important 12.5.0 None
Workstation Player 12.x Linux N/A not affected N/A
f. Workstation EMF file handling memory corruption vulnerability via
Cortado ThinPrint
VMware Workstation contains a vulnerability that may allow a Windows
-based virtual machine (VM) to corrupt memory. This issue occurs due
to improper handling of EMF files in tpview.dll. Exploitation of this
issue may lead to arbitrary code execution in the hypervisor OS.
The severity of this issue has changed to Low from Critical as the
exploitation of the issue requires a custom registry value to be
added on the host machine.
Exploitation is only possible if virtual printing has been enabled
in VMware Workstation. This feature is not enabled by default.
VMware Knowledge Base article 2146810 documents the procedure for
enabling and disabling this feature.
VMware would like to thank Mateusz Jurczyk of Google's Project Zero
and Yakun Zhang of McAfee for individually reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-7082 to this issue.
Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Severity Apply Patch Workaround
================== ======== ======= ======== ============= ==========
Workstation Player 14.x Windows Low 14.1.0 None
Workstation Player 14.x Linux N/A not affected N/A
Workstation Pro 14.x Windows Low 14.1.0 None
Workstation Pro 14.x Linux N/A not affected N/A
Workstation Player 12.x Windows Low no patch planned None
Workstation Player 12.x Linux N/A not affected N/A
Workstation Pro 12.x Windows Low no patch planned None
Workstation Pro 12.x Linux N/A not affected N/A
4. Solution
Please review the patch/release notes for your product and version and
verify
the checksum of your downloaded file.
VMware ESXi 6.0
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
https://kb.vmware.com/kb/2145816
VMware ESXi 5.5
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
https://kb.vmware.com/kb/2144370
VMware Workstation Pro 12.5.0
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
VMware Workstation Player 12.5.0
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
VMware Fusion 8.5.0
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
VMware Tools 10.0.9
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=491&downloadGroup=VMTOOL
S1009
VMware Workstation Pro 14.1.0
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://www.vmware.com/support/pubs/ws_pubs.html
VMware Workstation Player 14.1.0
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://www.vmware.com/support/pubs/player_pubs.html
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7082
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7086
https://kb.vmware.com/kb/2146810
- - ------------------------------------------------------------------------
6. Change log
2016-09-13 VMSA-2016-0014 Initial security advisory in conjunction
with the release of VMware Workstation 12.5.0 on 2016-09-13.
2017-12-21 VMSA-2016-0014.1
Updated affected versions and resolution for CVE-2016-7082 and
moved this CVE to its own section i.e. 3f.
- - -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8
wj8DBQFaPJsSDEcm8Vbi9kMRAis+AKCNQLB3rwWNlaTh90t3CfvJYBjiGQCeO8LC
La1UFYAn/y6Qfqomp7JfgHo=
=0xhk
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWkq+KYx+lLeg9Ub1AQjM0Q/+P8FMMbdRZhDViWDFpu57gbv8aUM4GbZe
XDKcXIAEC2rmkdJGN+sOO3kEsATWp+0sr1uqKL9/KgY1tZ3FE7PDg2WQdIyTDW+w
f2t+m3g9yPzF5VHPx/TA0uyOE76KwrYejRG5nXm4JqKwcab15jXhWrYvwIWjKHbq
tYeo+CKH5TkB2mnLOVxgESqnN58uJl9HsnCX6Maj8bwRAAWnrUXn3fBoldVumSoU
Ba1MC4z7qIzFwZjYh8IeMXRCZJ85KuMrEtftMcaSRx9MOh6R5rLLrnYNSxzfeZNl
FRpTcAE7zHKe4Cih5YdaSv7K+qWtItpnxHCHTQRCBZUII6d/oG1g4hqMKLydxGmp
rqt9yOCYbodXgSiH0nbvno89+Yn/InlGnVFxTtKZ4guLhWnhCSJxM5eBM9hWFLG4
dq5G3s4PfLA4maSEPuRIbcVrULf5cnTCb+mWynRxVJz8xLuD/wLn5aCD7x6y4l44
/dHk6+70xPdfutUjghVFZp3yOaOvZWPC8u0zWJ8fDQZzZpFh+sH7WyCg/jBiudtf
vXzkdpg+FwHSpfum3jusP3pfYwDjWaROKVknu17ZlSzDfO6v1MbBs0SOrFIl7UJ5
TrpqG80AkzZXATzgZLrTm12I3lCzK9kQh5IVMS5yr1/0tNWIUeGwYRLyIMGoqOly
tkwpVICrgII=
=yCuQ
-----END PGP SIGNATURE-----