[Security-announce] Updated VMSA-2016-0014.1 : VMware ESXi, Workstation, Fusion, & Tools updates address multiple security issues

\n\n–===============6093356613702850619==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary=”_000_BY2PR0501MB168608CD68249CB1504E05CBB9020BY2PR0501MB1686_”

–_000_BY2PR0501MB168608CD68249CB1504E05CBB9020BY2PR0501MB1686_
Content-Type: text/plain; charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

– ———————————————————————–
VMware Security Advisory

Advisory ID: VMSA-2016-0014.1
Severity: Critical
Synopsis: VMware ESXi, Workstation, Fusion, & Tools updates address
multiple security issues
Issue date: 2016-09-13
Updated on: 2017-12-21
CVE number: CVE-2016-7081,CVE-2016-7082,CVE-2016-7083,CVE-2016-7084,
CVE-2016-7079,CVE-2016-7080,CVE-2016-7085,CVE-2016-7086

1. Summary

VMware ESXi, Workstation, Fusion, and Tools updates address multiple
security issues

2. Relevant Products

ESXi
VMware Workstation Pro
VMware Workstation Player
VMware Fusion
VMware Tools

3. Problem Description

a. VMware Workstation heap-based buffer overflow vulnerabilities via
Cortado ThinPrint

VMware Workstation contains vulnerabilities that may allow a windows
-based virtual machine (VM) to trigger heap-based buffer overflows
in the windows-based hypervisor running VMware workstation that the
VM resides on. Exploitation of this issue may lead to arbitrary code
execution in the hypervisor OS.

Exploitation is only possible if virtual printing has been enabled
in VMware Workstation. This feature is not enabled by default.
VMware Knowledge Base article 2146810 documents the procedure for
enabling and disabling this feature.

VMware would like to thank E0DB6391795D7F629B5077842E649393 working
with Trend Micro’s Zero Day Initiative for reporting this issue to
us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-7081 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Severity Apply Patch** Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =
=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Workstation Pro 12.x Windows Critical 12.5.0 KB2146810
Workstation Pro 12.x Linux N/A not affected N/A
Workstation Player 12.x Windows Critical 12.5.0 KB2146810
Workstation Player 12.x Linux N/A not affected N/A

b. VMware Workstation memory corruption vulnerabilities via Cortado
Thinprint

VMware Workstation contains vulnerabilities that may allow a windows
-based virtual machine (VM) to corrupt memory in the windows-based
hypervisor running VMware workstation that the VM resides on. These
include TrueType fonts embedded in EMFSPOOL (CVE-2016-7083), and
JPEG2000 images (CVE-2016-7084) in tpview.dll. Exploitation of these
issues may lead to arbitrary code execution in the hypervisor OS.

Exploitation is only possible if virtual printing has been enabled
in VMware Workstation. This feature is not enabled by default.
VMware Knowledge Base article 2146810 documents the procedure for
enabling and disabling this feature.

VMware would like to thank Mateusz Jurczyk of Google’s Project Zero
for reporting these issues to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifiers CVE-2016-7083, and CVE-2016-7084 to these
issues.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Severity Apply Patch Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =
=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Workstation Pro 12.x Windows Critical 12.5.0 N/A
Workstation Pro 12.x Linux N/A not affected N/A
Workstation Player 12.x Windows Critical 12.5.0 N/A
Workstation Player 12.x Linux N/A not affected N/A

c. VMware Tools NULL pointer dereference vulnerabilities

The graphic acceleration functions used in VMware Tools for OSX
handle memory incorrectly. Two resulting NULL pointer dereference
vulnerabilities may allow for local privilege escalation on Virtual
Machines that run OSX.

The issues can be remediated by installing a fixed version of VMware
Tools on affected OSX VMs directly. Alternatively the fixed version
of Tools can be installed through ESXi or Fusion after first
updating to a version of ESXi or Fusion that ships with a fixed
version of VMware Tools.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifiers CVE-2016-7079 and CVE-2016-7080 to these
issues.

VMware would like to thank Dr. Fabien Duchene “FuzzDragon” and Jian
Zhu for independently reporting these issues to VMware.

VMware Product Running Replace with/
Product Version on Severity Apply Patch Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=
=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
VMware Tools 10.x, 9.x Windows N/A not affected N/A
VMware Tools 10.x, 9.x Linux N/A not affected N/A
VMware Tools 10.x, 9.x OSX Important 10.0.9* None

*VMware Tools 10.0.9 can be downloaded independently and is included
in the following:
-ESXi 6.0 patch ESXi600-201608403-BG
-ESXi 5.5 patch ESXi550-201608102-SG
-Fusion 8.5.0

d. VMware Workstation installer DLL hijacking issue

Workstation Pro/Player installer contains a DLL hijacking issue that
exists due to some DLL files loaded by the application improperly.
This issue may allow an unauthenticated remote attacker to load this
DLL file of the attacker’s choosing that could execute arbitrary
code.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware would like to thank Anand Bhat and Himanshu Mehta for
individually reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-7085 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Severity Apply Patch Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =
=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Workstation Pro 12.x Windows Important 12.5.0 None
Workstation Pro 12.x Linux N/A not affected N/A
Workstation Player 12.x Windows Important 12.5.0 None
Workstation Player 12.x Linux N/A not affected N/A

e. VMware Workstation installer insecure executable loading
vulnerability

Workstation installer contains an insecure executable loading
vulnerability that may allow an attacker to execute any exe file
placed in the same directory as installer with the name
“setup64.exe”.Successfully exploiting this issue may allow attackers
to escalate their privileges and execute arbitrary code.

VMware would like to thank Adam Bridge for reporting this issue to
us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-7086 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Severity Apply Patch Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =
=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Workstation Pro 12.x Windows Important 12.5.0 None
Workstation Pro 12.x Linux N/A not affected N/A
Workstation Player 12.x Windows Important 12.5.0 None
Workstation Player 12.x Linux N/A not affected N/A

f. Workstation EMF file handling memory corruption vulnerability via
Cortado ThinPrint

VMware Workstation contains a vulnerability that may allow a Windows
-based virtual machine (VM) to corrupt memory. This issue occurs due
to improper handling of EMF files in tpview.dll. Exploitation of this
issue may lead to arbitrary code execution in the hypervisor OS.

The severity of this issue has changed to Low from Critical as the
exploitation of the issue requires a custom registry value to be
added on the host machine.

Exploitation is only possible if virtual printing has been enabled
in VMware Workstation. This feature is not enabled by default.
VMware Knowledge Base article 2146810 documents the procedure for
enabling and disabling this feature.

VMware would like to thank Mateusz Jurczyk of Google’s Project Zero
and Yakun Zhang of McAfee for individually reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-7082 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Severity Apply Patch Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=
=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Workstation Player 14.x Windows Low 14.1.0 None
Workstation Player 14.x Linux N/A not affected N/A
Workstation Pro 14.x Windows Low 14.1.0 None
Workstation Pro 14.x Linux N/A not affected N/A
Workstation Player 12.x Windows Low no patch planned None
Workstation Player 12.x Linux N/A not affected N/A
Workstation Pro 12.x Windows Low no patch planned None
Workstation Pro 12.x Linux N/A not affected N/A

4. Solution

Please review the patch/release notes for your product and version and
verify
the checksum of your downloaded file.

VMware ESXi 6.0
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
https://kb.vmware.com/kb/2145816

VMware ESXi 5.5
Downloads:
https://www.vmware.com/patchmgr/findPatch.portal
Documentation:
https://kb.vmware.com/kb/2144370

VMware Workstation Pro 12.5.0
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation

VMware Workstation Player 12.5.0
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer

VMware Fusion 8.5.0
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion

VMware Tools 10.0.9
Downloads and Documentation:

https://my.vmware.com/web/vmware/details?productId=3D491&downloadGroup=3DVM=
TOOL
S1009

VMware Workstation Pro 14.1.0
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://www.vmware.com/support/pubs/ws_pubs.html

VMware Workstation Player 14.1.0
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://www.vmware.com/support/pubs/player_pubs.html

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7082
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7086
https://kb.vmware.com/kb/2146810

– ————————————————————————

6. Change log

2016-09-13 VMSA-2016-0014 Initial security advisory in conjunction
with the release of VMware Workstation 12.5.0 on 2016-09-13.

2017-12-21 VMSA-2016-0014.1
Updated affected versions and resolution for CVE-2016-7082 and
moved this CVE to its own section i.e. 3f.

– ———————————————————————–

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org

E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

Twitter

Copyright 2016 VMware Inc. All rights reserved.

—–BEGIN PGP SIGNATURE—–
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8

wj8DBQFaPJsSDEcm8Vbi9kMRAis+AKCNQLB3rwWNlaTh90t3CfvJYBjiGQCeO8LC
La1UFYAn/y6Qfqomp7JfgHo=3D
=3D0xhk
—–END PGP SIGNATURE—–

–_000_BY2PR0501MB168608CD68249CB1504E05CBB9020BY2PR0501MB1686_
Content-Type: text/html; charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

– ———————————————————————–&n=
bsp;   
            &nb=
sp;            =
VMware Security Advisory

Advisory ID: VMSA-2016-0014.1
Severity:    Critical
Synopsis:    VMware ESXi, Workstation, Fusion, & Tools u=
pdates address
             mu=
ltiple security issues
Issue date:  2016-09-13
Updated on:  2017-12-21
CVE number:  CVE-2016-7081,CVE-2016-7082,CVE-2016-7083,CVE-2016-7084,
             CV=
E-2016-7079,CVE-2016-7080,CVE-2016-7085,CVE-2016-7086

1. Summary

   VMware ESXi, Workstation, Fusion, and Tools updates address mu=
ltiple
   security issues

2. Relevant Products

   ESXi
   VMware Workstation Pro
   VMware Workstation Player
   VMware Fusion
   VMware Tools

3. Problem Description

   a. VMware Workstation heap-based buffer overflow vulnerabiliti=
es via
      Cortado ThinPrint

   VMware Workstation contains vulnerabilities that may allow a w=
indows
   -based virtual machine (VM) to trigger heap-based buffer overf=
lows
   in the windows-based hypervisor running VMware workstation tha=
t the
   VM resides on. Exploitation of this issue may lead to arbitrar=
y code
   execution in the hypervisor OS.

   Exploitation is only possible if virtual printing has been ena=
bled
   in VMware Workstation. This feature is not enabled by default.=

   VMware Knowledge Base article 2146810 documents the procedure =
for
   enabling and disabling this feature.

   VMware would like to thank E0DB6391795D7F629B5077842E649393 wo=
rking
   with Trend Micro’s Zero Day Initiative for reporting this issu=
e to
   us.

   The Common Vulnerabilities and Exposures project (cve.mitre.or=
g) has
   assigned the identifier CVE-2016-7081 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware         &n=
bsp;   Product Running       &=
nbsp;  Replace with/
   Product         &=
nbsp;  Version on      Severity Apply Patch**=
Workaround
   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  &nbsp=
; =3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D =3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
   Workstation Pro    12.x    Windo=
ws Critical 12.5.0        KB2146810
   Workstation Pro    12.x    Linux=
   N/A      not affected  N/A
   Workstation Player 12.x    Windows Critical 12.=
5.0        KB2146810
   Workstation Player 12.x    Linux   N/=
A      not affected  N/A

   b. VMware Workstation memory corruption vulnerabilities via Co=
rtado
      Thinprint

   VMware Workstation contains vulnerabilities that may allow a w=
indows
   -based virtual machine (VM) to corrupt memory in the windows-b=
ased
   hypervisor running VMware workstation that the VM resides on. =
These
   include TrueType fonts embedded in EMFSPOOL (CVE-2016-7083), a=
nd
   JPEG2000 images (CVE-2016-7084) in tpview.dll. Exploitation of=
these
   issues may lead to arbitrary code execution in the hypervisor =
OS.

   Exploitation is only possible if virtual printing has been ena=
bled
   in VMware Workstation. This feature is not enabled by default.=

   VMware Knowledge Base article 2146810 documents the procedure =
for
   enabling and disabling this feature.

   VMware would like to thank Mateusz Jurczyk of Google’s Project=
Zero
   for reporting these issues to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.or=
g) has
   assigned the identifiers CVE-2016-7083, and CVE-2016-7084 to t=
hese
   issues.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware         &n=
bsp;  Product  Running       &=
nbsp;    Replace with/
   Product         &=
nbsp; Version on       Severity Apply Patch&n=
bsp;  Workaround
   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D   =3D=
=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D  =3D=3D=3D=3D=3D=3D=3D=3D =3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
   Workstation Pro    12.x    Windo=
ws  Critical 12.5.0        &nb=
sp; N/A
   Workstation Pro    12.x    Linux=
    N/A      not affected &nbs=
p;  N/A
   Workstation Player 12.x    Windows  Critic=
al 12.5.0          N/A
   Workstation Player 12.x    Linux  &nb=
sp; N/A      not affected    N/A
   

   c. VMware Tools NULL pointer dereference vulnerabilities

   The graphic acceleration functions used in VMware Tools for OS=
X
   handle memory incorrectly. Two resulting NULL pointer derefere=
nce
   vulnerabilities may allow for local privilege escalation on Vi=
rtual
   Machines that run OSX.

   The issues can be remediated by installing a fixed version of =
VMware
   Tools on affected OSX VMs directly. Alternatively the fixed ve=
rsion
   of Tools can be installed through ESXi or Fusion after first
   updating to a version of ESXi or Fusion that ships with a fixe=
d
   version of VMware Tools.

   The Common Vulnerabilities and Exposures project (cve.mitre.or=
g) has
   assigned the identifiers CVE-2016-7079 and CVE-2016-7080 to th=
ese
   issues.

   VMware would like to thank Dr. Fabien Duchene "FuzzDragon=
" and Jian
   Zhu for independently reporting these issues to VMware.

   VMware       Product  =
Running           Replac=
e with/      
   Product      Version   on&n=
bsp;     Severity  Apply Patch   &n=
bsp;     Workaround
   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=
=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D  =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
   VMware Tools 10.x, 9.x Windows   N/A  &nbs=
p;    not affected       =
N/A
   VMware Tools 10.x, 9.x Linux     N/A =
      not affected     &n=
bsp;  N/A
   VMware Tools 10.x, 9.x OSX     Important&n=
bsp;    10.0.9*       &nb=
sp;   None

   *VMware Tools 10.0.9 can be downloaded independently and is in=
cluded
    in the following:
     -ESXi 6.0 patch ESXi600-201608403-BG
     -ESXi 5.5 patch ESXi550-201608102-SG
     -Fusion 8.5.0

   d. VMware Workstation installer DLL hijacking issue

   Workstation Pro/Player installer contains a DLL hijacking issu=
e that
   exists due to some DLL files loaded by the application imprope=
rly.
   This issue may allow an unauthenticated remote attacker to loa=
d this
   DLL file of the attacker’s choosing that could execute arbitra=
ry
   code.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware would like to thank Anand Bhat and Himanshu Mehta for
   individually reporting this issue to us.
   
   The Common Vulnerabilities and Exposures project (cve.mitre.or=
g) has
   assigned the identifier CVE-2016-7085 to this issue.
   
   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

  VMware          &n=
bsp;  Product Running        &=
nbsp;  Replace with/
  Product          &=
nbsp; Version on      Severity  Apply Patch&n=
bsp;  Workaround
  =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D    =3D=
=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D  =3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
  Workstation Pro    12.x    Windows Imp=
ortant 12.5.0        None
  Workstation Pro    12.x    Linux =
  N/A       not affected  N/A
  Workstation Player 12.x    Windows Important 12.5.0&n=
bsp;       None
  Workstation Player 12.x    Linux   N/A&nbsp=
;      not affected  N/A

   e. VMware Workstation installer insecure executable loading
      vulnerability

   Workstation installer contains an insecure executable loading
   vulnerability that may allow an attacker to execute any exe fi=
le
   placed in the same directory as installer with the name
   "setup64.exe".Successfully exploiting this issue may=
allow attackers
   to escalate their privileges and execute arbitrary code.

   VMware would like to thank Adam Bridge for reporting this issu=
e to
   us.

   The Common Vulnerabilities and Exposures project (cve.mitre.or=
g) has
   assigned the identifier CVE-2016-7086 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware         &n=
bsp;  Product Running        &=
nbsp;   Replace with/
   Product         &=
nbsp; Version on      Severity  Apply Patch&n=
bsp;  Workaround
   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D   =3D=
=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D  =3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
   Workstation Pro    12.x    Windo=
ws Important 12.5.0        None
   Workstation Pro    12.x    Linux=
   N/A       not affected  N/A=

   Workstation Player 12.x    Windows Important 12=
.5.0        None
   Workstation Player 12.x    Linux   N/=
A       not affected  N/A
   
   f. Workstation EMF file handling memory corruption vulnerabili=
ty via
   Cortado ThinPrint
   
   VMware Workstation contains a vulnerability that may allow a W=
indows
   -based virtual machine (VM) to corrupt memory. This issue occu=
rs due
   to improper handling of EMF files in tpview.dll. Exploitation =
of this
   issue may lead to arbitrary code execution in the hypervisor O=
S.

   The severity of this issue has changed to Low from Critical as=
the
   exploitation of the issue requires a custom registry value to =
be
   added on the host machine.
 
   Exploitation is only possible if virtual printing has been ena=
bled
   in VMware Workstation. This feature is not enabled by default.=

   VMware Knowledge Base article 2146810 documents the procedure =
for
   enabling and disabling this feature.
   
   VMware would like to thank Mateusz Jurczyk of Google’s Project=
Zero
   and Yakun Zhang of McAfee for individually reporting this issu=
e to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.or=
g) has
   assigned the identifier CVE-2016-7082 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

  VMware          &n=
bsp;   Product  Running      &=
nbsp;  Replace with/
  Product          &=
nbsp;  Version  on     Severity Apply Patch&n=
bsp;  Workaround
  =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=
=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
  Workstation Player  14.x    Windows   =
Low    14.1.0       &nbsp=
;   None
  Workstation Player  14.x    Linux  &nb=
sp;  N/A    not affected     N/A
  Workstation Pro     14.x    Windo=
ws   Low    14.1.0     &n=
bsp;     None
  Workstation Pro     14.x    Linux=
     N/A    not affected  &nbs=
p;  N/A
  Workstation Player  12.x    Windows   =
Low    no patch planned None
  Workstation Player  12.x    Linux  &nb=
sp;  N/A    not affected     N/A &n=
bsp;
  Workstation Pro     12.x    Windo=
ws   Low    no patch planned None
  Workstation Pro     12.x    Linux=
     N/A    not affected  &nbs=
p;  N/A
 
 
4. Solution

   Please review the patch/release notes for your product and ver=
sion and
verify
   the checksum of your downloaded file.

   VMware ESXi 6.0
   Downloads:
   https://www.vmware.com/patchmgr/findPatch.portal
   Documentation:
   https://kb.vmware.com/kb/2145816
   
   VMware ESXi 5.5
   Downloads:
   https://www.vmware.com/patchmgr/findPatch.portal
   Documentation:
   https://kb.vmware.com/kb/2144370
   
   VMware Workstation Pro 12.5.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation
   
   VMware Workstation Player 12.5.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadplayer
   
   VMware Fusion 8.5.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadfusion
   
   VMware Tools 10.0.9
   Downloads and Documentation:
 
https://my.vmware.com/web/vmware/details?productId=3D491&downloadGroup=
=3DVMTOOL
S1009
    
   VMware Workstation Pro 14.1.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation
   https://www.vmware.com/support/pubs/ws_pubs.html

   VMware Workstation Player 14.1.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadplayer
   https://www.vmware.com/support/pubs/player_pubs.html

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7081
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7082
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7083
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7084
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7079
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7080
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7085
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-7086
   https://kb.vmware.com/kb/2146810

– ————————————————————————

6. Change log

   2016-09-13 VMSA-2016-0014 Initial security advisory in conjunc=
tion
   with the release of VMware Workstation 12.5.0 on 2016-09-13.
   
   2017-12-21 VMSA-2016-0014.1
   Updated affected versions and resolution for CVE-2016-7082 and=

   moved this CVE to its own section i.e. 3f.

– ———————————————————————–

7. Contact

   E-mail list for product security notifications and announcemen=
ts:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-anno=
unce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html=

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

—–BEGIN PGP SIGNATURE—–
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8

wj8DBQFaPJsSDEcm8Vbi9kMRAis+AKCNQLB3rwWNlaTh90t3CfvJYBjiGQCeO8LC
La1UFYAn/y6Qfqomp7JfgHo=3D
=3D0xhk
—–END PGP SIGNATURE—–

–_000_BY2PR0501MB168608CD68249CB1504E05CBB9020BY2PR0501MB1686_–

–===============6093356613702850619==
Content-Type: text/plain; charset=”us-ascii”
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
https://lists.vmware.com/mailman/listinfo/security-announce

–===============6093356613702850619==–