Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0042.2 VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution. 23 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware ESXi, Workstation and Fusion Publisher: VMWare Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-5753 CVE-2017-5715 Reference: ASB-2018.0002.2 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2018-0002.html Revision History: January 23 2018: Updated security advisory after release of ESXi 5.5 patch (ESXi550-201801401-BG) that has remediation against both CVE-2017-5753 and CVE-2017-5715 on 2018-01-09. Updated security advisory with microcode information found in KB52345. January 4 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- VMware Security Advisories VMSA-2018-0002.2 VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution. VMware Security Advisory Advisory ID: VMSA-2018-0002.2 Severity: Important Synopsis: VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution. Issue date: 2018-01-03 Updated on: 2018-01-13 CVE numbers: CVE-2017-5753, CVE-2017-5715 1. Summary VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution. Notes: Hypervisor mitigation can be classified into the two following categories: - - Hypervisor-Specific remediation (documented in this advisory) - - Hypervisor-Assisted Guest Remediation (documented in VMSA-2018-0004) The ESXi patches and new versions of Workstation and Fusion of VMSA-2018-0004 include the Hypervisor-Specific remediation documented in this VMware Security Advisory. More information on the types of remediation may be found in VMware Knowledge Base article 52245. 2. Relevant Products VMware vSphere ESXi (ESXi) VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) 3. Problem Description Bounds-Check bypass and Branch Target Injection issues CPU data cache timing can be abused to efficiently leak information out of mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. (Speculative execution is an automatic and inherent CPU performance optimization used in all modern processors.) ESXi, Workstation and Fusion are vulnerable to Bounds Check Bypass and Branch Target Injection issues resulting from this vulnerability. Result of exploitation may allow for information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host. The remediation listed in the table below is for the known variants of the Bounds Check Bypass and Branch Target Injection issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-5753 (Bounds Check bypass) and CVE-2017-5715 (Branch Target Injection) to these issues. Column 5 of the following table lists the action required to remediate the observed vulnerability in each release, if a solution is available. VMware Product Product Version Running on Severity Replace with/ Apply Patch Mitigation/ Workaround ESXi 6.5 Any Important ESXi650-201712101-SG None ESXi 6.0 Any Important ESXi600-201711101-SG None ESXi 5.5 Any Important ESXi550-201709101-SG* None Workstation 14.x Any N/A Not affected N/A Workstation 12.x Any Important 12.5.8 None Fusion 10.x OS X N/A Not affected N/A Fusion 8.x OS X Important 8.5.9 None * This patch mitigates CVE-2017-5715 but not CVE-2017-5753. Please see KB52345 for important information on ESXi microcode patches. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware ESXi 6.5 Downloads: https://my.vmware.com/group/vmware/patch Documentation: http://kb.vmware.com/kb/2151099 VMware ESXi 6.0 Downloads: https://my.vmware.com/group/vmware/patch Documentation: http://kb.vmware.com/kb/2151132 VMware ESXi 5.5 Downloads: https://my.vmware.com/group/vmware/patch Documentation: http://kb.vmware.com/kb/2150876 VMware Workstation Pro, Player 12.5.8 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://www.vmware.com/support/pubs/ws_pubs.html VMware Fusion Pro / Fusion 8.5.9 Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://www.vmware.com/support/pubs/fusion_pubs.html 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 6. Change log 2018-01-03 VMSA-2018-0002 Initial security advisory 2018-01-09 VMSA-2018-0002.1 Updated security advisory after release of ESXi 5.5 patch (ESXi550-201801401-BG) that has remediation against both CVE-2017-5753 and CVE-2017-5715 on 2018-01-09. 2018-01-13 VMSA-2018-0002.2 Updated security advisory with microcode information found in KB52345. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWmbSxYx+lLeg9Ub1AQgMXA//RxjSWqR4jZ6LbtV5Fc19wu1+ZPfHsZxu hovpT8/gXSrlyyN4HIpNKUDvw8jN50h7wcdMO/E1C+ioITQOh/9GqrnWiFfLd1mC zVZEeXjg13UkRAOW5/u4iEbgmEI6Q9iFD7kdq6xhVAKJwPZopPRgFUiG6Hicu9lP EXCW9bXgnXlclz+Wd3BAEy7ICjuuygXnJQF7V1tdhHqMc56+IcWe0QTMkjVNoPkO Y+xXxCQ+7x3iVKH1mgb529x+94QE2AvnNmkm9Np7alUIiKWwx/fsjMGOoqyzowY8 7CrbeHLDKkQOFbfRR60Msae9CqbD8Z0FGu9obJavZ9WlRPziuWroBmR7cVQ6cs3B sQnh41tUQX2FJnKsca7CMG36ZyoTGX+M9oPAVLr8nXpccOCgvLNBALMDp8muzmas E0dihJ9eDrIxvlgFzTRbC0Wh/PwUYzAuaUtZ7l7vOggZ3rKrxnWdMREfkgy3CTF8 2aaWHnLF2E3GcQAdqVn4t1HFqphSYKivb1VPSBCDtQFQYD+Pww2a+oub4a6FtCpN g2M/oA17nSLWDId5tsU/BVsDgpcMjfkCP266Qks6aEDY6E+34iAPX+cGDDz1Iu5j jZXlFZ67Nl+HTCNygU3e/Zd+zp+EpbCWBpz9gh9qM1aA9BzaH81HBkKyKnMnmPHN rWBZca9WDbQ= =7Xyw -----END PGP SIGNATURE-----