-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2018-0005 Severity: Critical Synopsis: VMware Workstation, and Fusion updates resolve use-after -free and integer-overflow vulnerabilities Issue date: 2018-01-10 Updated on: 2018-01-10 (Initial Advisory) CVE number: CVE-2017-4949, CVE-2017-4950 1. Summary VMware Workstation, and Fusion updates resolve use-after-free and integer-overflow vulnerabilities 2. Relevant Products VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) 3. Problem Description a. Use-after-free vulnerability in VMware NAT service VMware Workstation and Fusion contain a use-after-free vulnerability in VMware NAT service when IPv6 mode is enabled. This issue may allow a guest to execute code on the host. Note: IPv6 mode for VMNAT is not enabled by default. VMware would like to thank WenQunWang of Tencent's Xuanwu LAB for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4949 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation Product Version on Severity Apply patch Workaround ============== ======= ======= ======== ============= ========== Workstation 14.x Any Critical 14.1.1 None Workstation 12.x Any Critical 12.5.9 None Fusion 10.x OS X Critical 10.1.1 None Fusion 8.x OS X Critical 8.5.10 None b. Integer-overflow vulnerability in VMware NAT service VMware Workstation and Fusion contain an integer overflow vulnerability in VMware NAT service when IPv6 mode is enabled. This issue may lead to an out-of-bound read which can then be used to execute code on the host in conjunction with other issues. Note: IPv6 mode for VMNAT is not enabled by default. VMware would like to thank WenQunWang of Tencent's Xuanwu LAB for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4950 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation Product Version on Severity Apply patch Workaround ============== ======= ======= ========= ============= =========== Workstation 14.x Any Important 14.1.1 None Workstation 12.x Any Important 12.5.9 None Fusion 10.x OS X Important 10.1.1 None Fusion 8.x OS X Important 8.5.10 None 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware Workstation Pro 14.1.1 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://www.vmware.com/support/pubs/ws_pubs.html VMware Workstation Player 14.1.1 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://www.vmware.com/support/pubs/player_pubs.html VMware Workstation Pro 12.5.9 Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/desktop_ end_user_computing/vmware_workstation_pro/12_0 https://www.vmware.com/support/pubs/ws_pubs.html VMware Workstation Player 12.5.9 Downloads and Documentation: https://my.vmware.com/en/web/vmware/free#desktop_ end_user_computing/vmware_workstation_player/12_0 https://www.vmware.com/support/pubs/player_pubs.html VMware Fusion Pro / Fusion 10.1.1 Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://www.vmware.com/support/pubs/fusion_pubs.html VMware Fusion Pro / Fusion 8.5.10 Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/desktop_ end_user_computing/vmware_fusion/8_0 https://www.vmware.com/support/pubs/fusion_pubs.html 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4949 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4950 - ------------------------------------------------------------------------ 6. Change log 2018-01-10 VMSA-2017-0005 Initial security advisory in conjunction with the release of VMware Workstation 12.5.9 on 2018-01-10. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2018 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.4.1 (Build 490) Charset: utf-8 wj8DBQFaVwYgDEcm8Vbi9kMRAr3mAJ4zS2QQog09h5K1xAPG59tVhCnUrgCg3RK/ KKS064Rpozk2PAPs2ShZegI= =trGK -----END PGP SIGNATURE-----