Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.0042.2
VMware ESXi, Workstation and Fusion updates address
side-channel analysis due to speculative execution.
23 January 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware ESXi, Workstation and Fusion
Publisher: VMWare
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Privileged Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2017-5753 CVE-2017-5715
Reference: ASB-2018.0002.2
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2018-0002.html
Revision History: January 23 2018: Updated security advisory after release of
ESXi 5.5 patch (ESXi550-201801401-BG) that
has remediation against both CVE-2017-5753
and CVE-2017-5715 on 2018-01-09.
Updated security advisory with microcode
information found in KB52345.
January 4 2018: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
VMware Security Advisories
VMSA-2018-0002.2
VMware ESXi, Workstation and Fusion updates address side-channel analysis due
to speculative execution.
VMware Security Advisory
Advisory ID: VMSA-2018-0002.2
Severity: Important
Synopsis: VMware ESXi, Workstation and Fusion updates address side-channel
analysis due to speculative execution.
Issue date: 2018-01-03
Updated on: 2018-01-13
CVE numbers: CVE-2017-5753, CVE-2017-5715
1. Summary
VMware ESXi, Workstation and Fusion updates address side-channel analysis due
to speculative execution.
Notes:
Hypervisor mitigation can be classified into the two following categories:
- - Hypervisor-Specific remediation (documented in this advisory)
- - Hypervisor-Assisted Guest Remediation (documented in VMSA-2018-0004)
The ESXi patches and new versions of Workstation and Fusion of VMSA-2018-0004
include the Hypervisor-Specific remediation documented in this VMware Security
Advisory.
More information on the types of remediation may be found in VMware Knowledge
Base article 52245.
2. Relevant Products
VMware vSphere ESXi (ESXi)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
3. Problem Description
Bounds-Check bypass and Branch Target Injection issues
CPU data cache timing can be abused to efficiently leak information out of
mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory
read vulnerabilities across local security boundaries in various contexts.
(Speculative execution is an automatic and inherent CPU performance
optimization used in all modern processors.) ESXi, Workstation and Fusion are
vulnerable to Bounds Check Bypass and Branch Target Injection issues resulting
from this vulnerability.
Result of exploitation may allow for information disclosure from one Virtual
Machine to another Virtual Machine that is running on the same host. The
remediation listed in the table below is for the known variants of the Bounds
Check Bypass and Branch Target Injection issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifiers CVE-2017-5753 (Bounds Check bypass) and CVE-2017-5715 (Branch
Target Injection) to these issues.
Column 5 of the following table lists the action required to remediate the
observed vulnerability in each release, if a solution is available.
VMware Product Product Version Running on Severity Replace with/ Apply Patch Mitigation/ Workaround
ESXi 6.5 Any Important ESXi650-201712101-SG None
ESXi 6.0 Any Important ESXi600-201711101-SG None
ESXi 5.5 Any Important ESXi550-201709101-SG* None
Workstation 14.x Any N/A Not affected N/A
Workstation 12.x Any Important 12.5.8 None
Fusion 10.x OS X N/A Not affected N/A
Fusion 8.x OS X Important 8.5.9 None
* This patch mitigates CVE-2017-5715 but not CVE-2017-5753. Please see KB52345
for important information on ESXi microcode patches.
4. Solution
Please review the patch/release notes for your product and version and verify
the checksum of your downloaded file.
VMware ESXi 6.5
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
http://kb.vmware.com/kb/2151099
VMware ESXi 6.0
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
http://kb.vmware.com/kb/2151132
VMware ESXi 5.5
Downloads:
https://my.vmware.com/group/vmware/patch
Documentation:
http://kb.vmware.com/kb/2150876
VMware Workstation Pro, Player 12.5.8
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://www.vmware.com/support/pubs/ws_pubs.html
VMware Fusion Pro / Fusion 8.5.9
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://www.vmware.com/support/pubs/fusion_pubs.html
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
6. Change log
2018-01-03 VMSA-2018-0002
Initial security advisory
2018-01-09 VMSA-2018-0002.1
Updated security advisory after release of ESXi 5.5 patch
(ESXi550-201801401-BG) that has remediation against both CVE-2017-5753 and
CVE-2017-5715 on 2018-01-09.
2018-01-13 VMSA-2018-0002.2
Updated security advisory with microcode information found in KB52345.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWmbSxYx+lLeg9Ub1AQgMXA//RxjSWqR4jZ6LbtV5Fc19wu1+ZPfHsZxu
hovpT8/gXSrlyyN4HIpNKUDvw8jN50h7wcdMO/E1C+ioITQOh/9GqrnWiFfLd1mC
zVZEeXjg13UkRAOW5/u4iEbgmEI6Q9iFD7kdq6xhVAKJwPZopPRgFUiG6Hicu9lP
EXCW9bXgnXlclz+Wd3BAEy7ICjuuygXnJQF7V1tdhHqMc56+IcWe0QTMkjVNoPkO
Y+xXxCQ+7x3iVKH1mgb529x+94QE2AvnNmkm9Np7alUIiKWwx/fsjMGOoqyzowY8
7CrbeHLDKkQOFbfRR60Msae9CqbD8Z0FGu9obJavZ9WlRPziuWroBmR7cVQ6cs3B
sQnh41tUQX2FJnKsca7CMG36ZyoTGX+M9oPAVLr8nXpccOCgvLNBALMDp8muzmas
E0dihJ9eDrIxvlgFzTRbC0Wh/PwUYzAuaUtZ7l7vOggZ3rKrxnWdMREfkgy3CTF8
2aaWHnLF2E3GcQAdqVn4t1HFqphSYKivb1VPSBCDtQFQYD+Pww2a+oub4a6FtCpN
g2M/oA17nSLWDId5tsU/BVsDgpcMjfkCP266Qks6aEDY6E+34iAPX+cGDDz1Iu5j
jZXlFZ67Nl+HTCNygU3e/Zd+zp+EpbCWBpz9gh9qM1aA9BzaH81HBkKyKnMnmPHN
rWBZca9WDbQ=
=7Xyw
-----END PGP SIGNATURE-----