Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2353 VMSA-2017-0015.1 18 September 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware ESXi VMware vCenter Server VMware Fusion VMware Workstation Publisher: VMWare Operating System: Windows Linux variants OS X VMware ESX Server Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Cross-site Scripting -- Remote with User Interaction Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-4926 CVE-2017-4925 CVE-2017-4924 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2017-0015.html - --------------------------BEGIN INCLUDED TEXT-------------------- VMware Security Advisory Advisory ID: VMSA-2017-0015.1 Severity: Critical Synopsis: VMware ESXi, vCenter Server, Fusion & Workstation updates resolve multiple security vulnerabilities Issue date: 2017-09-14 Updated on: 2017-09-15 CVE number: CVE-2017-4924, CVE-2017-4925, CVE-2017-4926 1. Summary VMware ESXi, vCenter Server, Fusion and Workstation updates resolve multiple security vulnerabilities. 2. Relevant Products VMware ESXi (ESXi) VMware vCenter Server VMware Fusion Pro / Fusion (Fusion) VMware Workstation Pro / Player (Workstation) 3. Problem Description a. Out-of-bounds write vulnerability in SVGA VMware ESXi, Workstation & Fusion contain an out-of-bounds write vulnerability in SVGA device. This issue may allow a guest to execute code on the host. VMware would like to thank Nico Golde and Ralf-Philipp Weinmann of Comsecuris UG (haftungsbeschraenkt) working with ZDI for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4924 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation Product Version on Severity Apply patch Workaround =========== ======= ======= ======== ============= ========== ESXi 6.5 ESXi Critical ESXi650-201707101-SG None ESXi 6.0 ESXi N/A Not affected N/A ESXi 5.5 ESXi N/A Not affected N/A Workstation 12.x Any Critical 12.5.7 None Fusion 8.x OS X Critical 8.5.8 None b. Guest RPC NULL pointer dereference vulnerability VMware ESXi, Workstation & Fusion contain a NULL pointer dereference vulnerability. This issue occurs when handling guest RPC requests. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. VMware would like to thank Zhang Haitao for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4925 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation Product Version on Severity Apply patch Workaround =========== ======= ======= ======== ============= ========== ESXi 6.5 ESXi Moderate ESXi650-201707101-SG None ESXi 6.0 ESXi Moderate ESXi600-201706101-SG None ESXi 5.5 ESXi Moderate ESXi550-201709101-SG None Workstation 12.x Any Moderate 12.5.3 None Fusion 8.x OS X Moderate 8.5.4 None c. Stored XSS in H5 Client vCenter Server H5 Client contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page. VMware would like to thank Thomas Ornetzeder for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4926 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation Product Version on Severity Apply patch Workaround ============== ======= ======= ======== ============= ========== vCenter Server 6.5 Windows Moderate 6.5 U1 None vCenter Server 6.0 Windows N/A Not affected N/A vCenter Server 5.5 Windows N/A Not affected N/A 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. ESXi 6.5 ------------- Downloads: https://www.vmware.com/patchmgr/findPatch.portal Documentation: http://kb.vmware.com/kb/2149933 ESXi 6.0 ------------- Downloads: https://www.vmware.com/patchmgr/findPatch.portal Documentation: http://kb.vmware.com/kb/2149960 ESXi 5.5 ------------ Downloads: https://www.vmware.com/patchmgr/findPatch.portal Documentation: http://kb.vmware.com/kb/2150876 VMware vCenter Server 6.5 U1 Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=VC65U1 &productId=614&rPId=17343 Documentation: https://docs.vmware.com/en/VMware-vSphere/index.html VMware Workstation Pro 12.5.7 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://www.vmware.com/support/pubs/ws_pubs.html VMware Workstation Player 12.5.7 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://www.vmware.com/support/pubs/player_pubs.html VMware Workstation Pro 12.5.3 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://www.vmware.com/support/pubs/ws_pubs.html VMware Workstation Player 12.5.3 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://www.vmware.com/support/pubs/player_pubs.html VMware Fusion Pro / Fusion 8.5.8 Downloads and Documentation https://www.vmware.com/go/downloadfusion https://www.vmware.com/support/pubs/fusion_pubs.html VMware Fusion Pro / Fusion 8.5.4 Downloads and Documentation https://www.vmware.com/go/downloadfusion https://www.vmware.com/support/pubs/fusion_pubs.html 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4924 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4925 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4926 - - ------------------------------------------------------------------------ 6. Change log 2017-09-14 VMSA-2017-0015 Initial security advisory in conjunction with the release of VMware ESXi 5.5 patches on 2017-09-14 2017-09-15 VMSA-2017-0015.1 Corrected the underlying component affected from SVGA driver to device. - - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2017 VMware Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWb8W5Yx+lLeg9Ub1AQjvpA/9EhLRIKalKeYHaVOHNBXwed+8fd2gYiLQ Z+kvBS4slL6l7Gekf6+ywS9DIDb+4jzFp7HNhTrUY7m9B2NZm6ixt37hkmxRLlcN EQ+LzLtmGHUtGrxQ8Em9qLh7f6D54rSvFqPHsnncKhT6jJoevzqHhSZXYsUNq8ya 2enOFJw+NitOHHH0TrBI5NgEN0LQnq4qAObcmkb5mnsb2T1r4fKtIMOv8eXtybZk zpyzAwKy1j9h37Z7CVPC3mt8cFKKVnXEIzSvZ/q67N8la7YvDRGiUtHAI7wYLH+M 623KqSDcJK0wLkxpotVu6OMVK5HfR7arlwyWeJb09uw3upgpnk3flfyYKD9SUdEE qktvdTNzD3nZMfcvsXGQE2Pk6ZZXJCVFopCK6tOXOyoLrFLhSjNY65H7hOn8EUMp PtcTNoRA9Gp6abXJC5dBmXVYDv2Muf7jKoN0IHtVySVrQTcmdkwparkKEI5jTmIh PrEGPODrPiyVQ3tj/6w3o8GiUYKk0ZpWFH+v1KdJRYEhAPhoQUvI/jyJKxDfOfOe ExKX/ZE1iDdHAZ7FpYStgRbY2xXqv7VDZMqWBP5N/zytTGmj9rFcjO3eQW774SG/ 49P12r1ia2LvDIF15v63VNqujYyZ5ZqcRMLc7ema9sKjaJxMdWD0v9KCmUi18tU/ 7UUcq7QGd3Q= =S4PV -----END PGP SIGNATURE-----