[Security-announce] New VMSA-2018-0003 - vRealize Operations for Horizon, vRealize Operations for Published Applications, Workstation, Horizon View Client and Tools updates resolve multiple security vulnerabilities

VMware Security Announcements security-announce at lists.vmware.com
Thu Jan 4 22:49:49 PST 2018


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                        VMware Security Advisory

Advisory ID: VMSA-2018-0003
Severity:    Important
Synopsis:    vRealize Operations for Horizon, vRealize Operations for
             Published Applications, Workstation, Horizon View Client
             and Tools updates resolve multiple security
             vulnerabilities


Issue date:  2018-01-04
Updated on:  2018-01-04 (Initial Advisory)
CVE number:  CVE-2017-4945, CVE-2017-4946, CVE-2017-4948

1. Summary

   vRealize Operations for Horizon, vRealize Operations for Published
   Applications, Workstation, Horizon View Client and Tools updates
   resolve multiple security vulnerabilities.

2. Relevant Products

   vRealize Operations for Horizon (V4H)
   vRealize Operations for Published Applications (V4PA)
   VMware Workstation Pro / Player (Workstation)
   VMware Fusion Pro / Fusion (Fusion)
   VMware Horizon View Client for Windows

3. Problem Description

   a. V4H and V4PA desktop agent privilege escalation vulnerability

   The V4H and V4PA desktop agents contain a privilege escalation
   vulnerability. Successful exploitation of this issue could result in
   a low privileged windows user escalating their privileges to SYSTEM.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2017-4946 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware     Product   Running           Replace with/ Mitigation/
   Product    Version   on      Severity  Apply Patch   Workaround
   ========== ========= ======= ========= ============= ==========
   V4H        6.x       Windows Important   6.5.1*        KB52195
   V4PA       6.x       Windows Important   6.5.1         KB52195

   *This agent is also bundled with Horizon 7.4

   b. Out-of-bounds read issue via Cortado ThinPrint

   VMware Workstation and Horizon View Client contain an out-of-bounds
   read vulnerability in TPView.dll. On Workstation, this issue in
   conjunction with other bugs may allow a guest to leak information
   from host or may allow for a Denial of Service on the Windows OS
   that runs Workstation. In the case of a Horizon View Client, this
   issue in conjunction with other bugs may allow a View desktop to
   leak information from host or may allow for a Denial of Service on
   the Windows OS that runs the Horizon View Client.

   Exploitation is only possible if virtual printing has been enabled.
   This feature is not enabled by default on Workstation but it is
   enabled by default on Horizon View.

   VMware would like to thank Yakun Zhang of McAfee for reporting this
   issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2017-4948 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware          Product Running           Replace with/   Mitigation
   Product         Version on      Severity  Apply patch     Workaround
   ==============  ======= ======= ========  =============   ==========
   Horizon View      4.x   Windows Important    4.7.0           None
   Client for Windows
   Workstation       14.x  Windows Important    14.1.0          None

   Workstation       14.x  Linux   N/A         not affected     N/A
   Workstation       12.x  Windows Important   no patch planned None

   Workstation       12.x  Linux   N/A         not affected     N/A

   c. Guest access control vulnerability.

   VMware Workstation and Fusion contain a guest access control
   vulnerability. This issue may allow program execution via Unity on
   locked Windows VMs.

   VMware Tools must updated to 10.2.0 for each VM to resolve
   CVE-2017-4945.

   VMware Tools 10.2.0 is consumed by Workstation 14.1.0 and
   Fusion 10.1.0 by default.

   VMware would like to thank Tudor Enache of the United Arab
   Emirates Computer Emergency Response Team (aeCERT) for reporting
   this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2017-4945 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware          Product Running           Replace with/   Mitigation
   Product         Version on      Severity  Apply patch*    Workaround
   ==============  ======= ======= ========  =============   ==========
   Workstation      14.x    Any    Important Upgrade Tools*   None

   Workstation      12.x    Any    Important no patch planned None

   Fusion           10.x    OS X   Important Upgrade Tools*   None

   Fusion           8.x     OS X   Important no patch planned None

   * VMware Tools must updated to 10.2.0 for each VM to resolve
   CVE-2017-4945. VMware Tools 10.2.0 is consumed by Workstation 14.1.0
   and Fusion 10.1.0 by default.

4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   vRealize Operations for Horizon Desktop Agent 6.5.1
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/details?productId=475&downloadGroup
   =V4H-651-GA

   vRealize Operations for Published Applications Desktop Agent 6.5.1
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/details?productId=475&downloadGroup
   =V4PA-651-GA

   VMware Horizon View Client 4.7.0
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/details?downloadGroup=CART18FQ4_WIN
   _470&productId=578&rPId=20571

   VMware Workstation Pro 14.1.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation
   https://www.vmware.com/support/pubs/ws_pubs.html

   VMware Workstation Player 14.1.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadplayer
   https://www.vmware.com/support/pubs/player_pubs.html

   VMware Tools 10.2.0
   Downloads:
   https://my.vmware.com/web/vmware/details?
   downloadGroup=VMTOOLS1020&productId=491
   Documentation:
   https://docs.vmware.com/en/VMware-Tools/10.2/rn/
   vmware-tools-1020-release-notes.html

5. References

   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4945
   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4946
   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4948
   http://kb.vmware.com/kb/52195

- ------------------------------------------------------------------------

6. Change log

   2018-01-04 VMSA-2018-0003  Initial security advisory in conjunction
   with the release of VMware Horizon View Client 4.7.0 on 2018-01-04.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   VMware Security & Compliance Blog
   https://blogs.vmware.com/security

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2018 VMware Inc. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8

wj8DBQFaTx9yDEcm8Vbi9kMRAuQxAJsEoHi61EF6A0T8IPR/LX4mvgH2iACgwuQg
022yaolSTWh5Wdu/13NOkrE=
=qtU5
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.vmware.com/pipermail/security-announce/attachments/20180105/335ab2da/attachment.html>


More information about the Security-announce mailing list