[Security-announce] NEW VMSA-2016-0014 - VMware ESXi, Workstation, Fusion, and Tools updates address multiple security issues

VMware Security Announcements security-announce at lists.vmware.com
Tue Sep 13 09:48:00 PDT 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------------
- -------------------
                               VMware Security Advisory
 
Advisory ID: VMSA-2016-0014
Severity:    Critical
Synopsis:    VMware ESXi, Workstation, Fusion, and Tools updates address
multiple security
             issues
Issue date:  2016-09-13
Updated on:  2016-09-13 (Initial Advisory)
CVE number:  CVE-2016-7081, CVE-2016-7082, CVE-2016-7083, CVE-2016-7084,
             CVE-2016-7079, CVE-2016-7080, CVE-2016-7085, CVE-2016-7086
 
1. Summary
 
   VMware ESXi, Workstation, Fusion, and Tools updates address multiple
security issues
 
2. Relevant Products
 
   ESXi
   VMware Workstation Pro
   VMware Workstation Player
   VMware Fusion
   VMware Tools
 
3. Problem Description
 
   a. VMware Workstation heap-based buffer overflow vulnerabilities via
Cortado ThinPrint
 
   VMware Workstation contains vulnerabilities that may allow a
Windows-based Virtual
   Machine (VM) to trigger a heap-based buffer overflow. Exploitation of
these issues may lead
   to arbitrary code execution in VMware Workstation running on Windows.
 
   Exploitation is only possible if virtual printing has been enabled in
VMware Workstation.
   This feature is not enabled by default. VMware Knowledge Base article
2146810 documents
   the procedure for enabling and disabling this feature.
 
   VMware would like to thank E0DB6391795D7F629B5077842E649393 working with
Trend Micro's
   Zero Day Initiative for reporting this issue to us.
 
   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the
   identifier CVE-2016-7081 to this issue.
 
   Column 5 of the following table lists the action required to remediate
the
   vulnerability in each release, if a solution is available.
 
   VMware                     Product   Running            Replace with/
   Product                    Version   on       Severity  Apply Patch   
Workaround
   ===============            =======   =======  ========  ============= 
==========
   VMware Workstation Pro     12.x      Windows  Critical  12.5.0        
KB2146810
   VMware Workstation Pro     12.x      Linux    N/A       not affected  
N/A
   VMware Workstation Player  12.x      Windows  Critical  12.5.0        
KB2146810
   VMware Workstation Player  12.x      Linux    N/A       not affected  
N/A
 
   b. VMware Workstation memory corruption vulnerabilities via Cortado
Thinprint
 
   VMware Workstation contains vulnerabilities that may allow a
Windows-based virtual machine
   (VM) to corrupt memory. This includes improper handling of EMF files
(CVE-2016-7082),
   TrueType fonts embedded in EMFSPOOL (CVE-2016-7083), and JPEG2000 images
(CVE-2016-7084) in
   tpview.dll. Exploitation of these issues may lead to arbitrary code
execution in VMware
   Workstation running on Windows.
 
   Exploitation is only possible if virtual printing has been enabled in
VMware Workstation.
   This feature is not enabled by default. VMware Knowledge Base article
2146810 documents
   the procedure for enabling and disabling this feature.
 
   VMware would like to thank Mateusz Jurczyk of Google's Project Zero for
reporting these
   issues to us.
 
   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the
   identifiers CVE-2016-7082, CVE-2016-7083, and CVE-2016-7084 to these
issues.
 
   Column 5 of the following table lists the action required to remediate
the
   vulnerability in each release, if a solution is available.
 
   VMware                     Product   Running            Replace with/
   Product                    Version   on       Severity  Apply Patch   
Workaround
   ===============            =======   =======  ========  ============= 
==========
   VMware Workstation Pro     12.x      Windows  Critical  12.5.0        
KB2146810
   VMware Workstation Pro     12.x      Linux    N/A       not affected  
N/A
   VMware Workstation Player  12.x      Windows  Critical  12.5.0        
KB2146810
   VMware Workstation Player  12.x      Linux    N/A       not affected  
N/A
 
   c. VMware Tools NULL pointer dereference vulnerabilities
 
   The graphic acceleration functions used in VMware Tools for OSX handle
memory incorrectly.
   Two resulting NULL pointer dereference vulnerabilities may allow for
local privilege
   escalation on Virtual Machines that run OSX.
 
   The issues can be remediated by installing a fixed version of VMware
Tools on affected OSX
   VMs directly. Alternatively the fixed version of Tools can be installed
through ESXi or
   Fusion after first updating to a version of ESXi or Fusion that ships
with a fixed version
   of VMware Tools.
 
   VMware would like to thank Dr. Fabien Duchene "FuzzDragon" and Jian Zhu
for independently
   reporting these issues to VMware.
 
   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the
   identifiers CVE-2016-7079 and CVE-2016-7080 to these issues.
 
   Column 5 of the following table lists the action required to remediate
the vulnerability in
   each release, if a solution is available.
 
   VMware        Product    Running             Replace with/
   Product       Version    on       Severity   Apply Patch          
Workaround
   ============  =========  =======  ========   ===================  
==========
   VMware Tools  10.x, 9.x  Windows  N/A        not affected          N/A
   VMware Tools  10.x, 9.x  Linux    N/A        not affected          N/A
   VMware Tools  10.x, 9.x  OSX      Important  10.0.9*               None
 
   *VMware Tools 10.0.9 can be downloaded independently and is also
included in the
   following:
 
     -ESXi 6.0 patch ESXi600-201608403-BG
     -ESXi 5.5 patch ESXi550-201608102-SG
     -Fusion 8.5.0
 
   d. VMware Workstation installer DLL hijacking issue
 
   Workstation installer contains a DLL hijacking issue that exists due to
some DLL files
   loaded by the application improperly. This issue may allow an attacker
to load a DLL file
   of the attacker's choosing that could execute arbitrary code.
 
   VMware would like to thank Stefan Kantha, Anand Bhat, and Himanshu Mehta
for independantly
   reporting this issue to us.
  
   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the
   identifier CVE-2016-7085 to this issue.
 
   Column 5 of the following table lists the action required to remediate
the vulnerability
   in each release, if a solution is available.
 
   VMware                     Product   Running             Replace with/
   Product                    Version   on       Severity   Apply Patch   
Workaround
   ===============            =======   =======  ========   ============= 
==========
   VMware Workstation Pro     12.x      Windows  Important  12.5.0        
None
   VMware Workstation Pro     12.x      Linux    N/A        not affected  
N/A
   VMware Workstation Player  12.x      Windows  Important  12.5.0        
None
   VMware Workstation Player  12.x      Linux    N/A        not affected  
N/A
 
   e. VMware Workstation installer insecure executable loading
vulnerability
 
   Workstation installer contains an insecure executable loading
vulnerability that
   may allow an attacker to execute an exe file placed in the same
directory as installer
   with the name "setup64.exe". Successfully exploiting this issue may
allow attackers
   to execute arbitrary code.
 
   VMware would like to thank Adam Bridge for reporting this issue to us.
 
   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the
   identifier CVE-2016-7086 to this issue.
 
   Column 5 of the following table lists the action required to remediate
the vulnerability
   in each release, if a solution is available.
 
   VMware                     Product   Running             Replace with/
   Product                    Version   on       Severity   Apply Patch   
Workaround
   ===============            =======   =======  ========   ============= 
==========
   VMware Workstation Pro     12.x      Windows  Important  12.5.0        
None
   VMware Workstation Pro     12.x      Linux    N/A        not affected  
N/A
   VMware Workstation Player  12.x      Windows  Important  12.5.0        
None
   VMware Workstation Player  12.x      Linux    N/A        not affected  
N/A
 
4. Solution
 
   Please review the patch/release notes for your product and version and
verify
   the checksum of your downloaded file.
 
   VMware ESXi 6.0
   Downloads:
   https://www.vmware.com/patchmgr/findPatch.portal
   Documentation:
   https://kb.vmware.com/kb/2145816
 
   VMware ESXi 5.5
   Downloads:
   https://www.vmware.com/patchmgr/findPatch.portal
   Documentation:
   https://kb.vmware.com/kb/2144370
 
   VMware Workstation Pro 12.5.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation
 
   VMware Workstation Player 12.5.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadplayer
 
   VMware Fusion 8.5.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadfusion
 
   VMware Tools 10.0.9
   Downloads and Documentation:
  
https://my.vmware.com/web/vmware/details?productId=491&downloadGroup=VMTOOL
S1009
 
5. References
 
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7081
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7082
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7083
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7084
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7079
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7080
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7085
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7086
 
   https://kb.vmware.com/kb/2146810
 
- ------------------------------------------------------------------------
 
6. Change log
 
   2016-09-13 VMSA-2016-0014 Initial security advisory in conjunction with
the
   release of VMware Workstation 12.5.0 on 2016-09-13.
 
- ------------------------------------------------------------------------
 
7. Contact
 
   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
 
   This Security Advisory is posted to the following lists:
 
    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org
 
   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055
 
   VMware Security Advisories
   http://www.vmware.com/security/advisories
 
   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html
 
   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
   Twitter
   https://twitter.com/VMwareSRC
 
   Copyright 2016 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFX2CyRDEcm8Vbi9kMRAmyGAKDl1s03LC6+UjdZ+GqTPUzdJE2hVgCg03mL
WhIeBNago/RlST5Ilzkgjz8=
=JxLl
-----END PGP SIGNATURE-----




More information about the Security-announce mailing list