[Security-announce] New VMSA-2018-0005 - VMware Workstation, and Fusion updates resolve use-after-free and integer-overflow vulnerabilities

VMware Security Announcements security-announce at lists.vmware.com
Wed Jan 10 22:39:31 PST 2018


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------

                               VMware Security Advisory

Advisory ID: VMSA-2018-0005
Severity:    Critical
Synopsis:    VMware Workstation, and Fusion updates resolve use-after
             -free and integer-overflow vulnerabilities
Issue date:  2018-01-10
Updated on:  2018-01-10 (Initial Advisory)
CVE number:  CVE-2017-4949, CVE-2017-4950

1. Summary

   VMware Workstation, and Fusion updates resolve use-after-free and
   integer-overflow vulnerabilities

2. Relevant Products

   VMware Workstation Pro / Player (Workstation)
   VMware Fusion Pro / Fusion (Fusion)

3. Problem Description

   a. Use-after-free vulnerability in VMware NAT service

   VMware Workstation and Fusion contain a use-after-free vulnerability
   in VMware NAT service when IPv6 mode is enabled. This issue may
   allow a guest to execute code on the host.

   Note: IPv6 mode for VMNAT is not enabled by default.

   VMware would like to thank WenQunWang of Tencent's Xuanwu LAB for
   reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2017-4949 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware          Product Running           Replace with/   Mitigation
   Product         Version on      Severity  Apply patch     Workaround
   ==============  ======= ======= ========  =============   ==========
   Workstation      14.x    Any    Critical    14.1.1           None
   Workstation      12.x    Any    Critical    12.5.9           None
    Fusion          10.x    OS X   Critical    10.1.1           None
    Fusion          8.x     OS X   Critical    8.5.10           None

   b. Integer-overflow vulnerability in VMware NAT service

   VMware Workstation and Fusion contain an integer overflow
   vulnerability in VMware NAT service when IPv6 mode is enabled. This
   issue may lead to an out-of-bound read which can then be used to
   execute code on the host in conjunction with other issues.

   Note: IPv6 mode for VMNAT is not enabled by default.

   VMware would like to thank WenQunWang of Tencent's Xuanwu LAB for
   reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2017-4950 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware          Product Running           Replace with/   Mitigation
   Product         Version on      Severity  Apply patch     Workaround
   ==============  ======= ======= =========  =============  ===========
   Workstation      14.x    Any    Important   14.1.1           None
   Workstation      12.x    Any    Important   12.5.9           None
    Fusion          10.x    OS X   Important   10.1.1           None
    Fusion          8.x     OS X   Important   8.5.10           None


4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   VMware Workstation Pro 14.1.1
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation
   https://www.vmware.com/support/pubs/ws_pubs.html

   VMware Workstation Player 14.1.1
   Downloads and Documentation:
   https://www.vmware.com/go/downloadplayer
   https://www.vmware.com/support/pubs/player_pubs.html

   VMware Workstation Pro 12.5.9
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/info/slug/desktop_
   end_user_computing/vmware_workstation_pro/12_0
   https://www.vmware.com/support/pubs/ws_pubs.html

   VMware Workstation Player 12.5.9
   Downloads and Documentation:
   https://my.vmware.com/en/web/vmware/free#desktop_
   end_user_computing/vmware_workstation_player/12_0
   https://www.vmware.com/support/pubs/player_pubs.html

   VMware Fusion Pro / Fusion 10.1.1
   Downloads and Documentation:
   https://www.vmware.com/go/downloadfusion
   https://www.vmware.com/support/pubs/fusion_pubs.html

   VMware Fusion Pro / Fusion 8.5.10
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/info/slug/desktop_
   end_user_computing/vmware_fusion/8_0
   https://www.vmware.com/support/pubs/fusion_pubs.html


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4949
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4950

- ------------------------------------------------------------------------

6. Change log

   2018-01-10 VMSA-2017-0005
   Initial security advisory in conjunction with the release of VMware
   Workstation 12.5.9 on 2018-01-10.

- ------------------------------------------------------------------------
7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

     security-announce at lists.vmware.com
     bugtraq at securityfocus.com
     fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   VMware Security & Compliance Blog
   https://blogs.vmware.com/security

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2018 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8

wj8DBQFaVwYgDEcm8Vbi9kMRAr3mAJ4zS2QQog09h5K1xAPG59tVhCnUrgCg3RK/
KKS064Rpozk2PAPs2ShZegI=
=trGK
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.vmware.com/pipermail/security-announce/attachments/20180111/61cd42fa/attachment.html>


More information about the Security-announce mailing list