[Security-announce] New VMSA-2018-0003 – vRealize Operations for Horizon, vRealize Operations for Published Applications, Workstation, Horizon View Client and Tools updates resolve multiple security vulnerabilities

\n\n–===============2653620258794158661==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary=”_000_BY2PR0501MB16869C17FFDF227071008DF7B91C0BY2PR0501MB1686_”

–_000_BY2PR0501MB16869C17FFDF227071008DF7B91C0BY2PR0501MB1686_
Content-Type: text/plain; charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

– ————————————————————————
VMware Security Advisory

Advisory ID: VMSA-2018-0003
Severity: Important
Synopsis: vRealize Operations for Horizon, vRealize Operations for
Published Applications, Workstation, Horizon View Client
and Tools updates resolve multiple security
vulnerabilities

Issue date: 2018-01-04
Updated on: 2018-01-04 (Initial Advisory)
CVE number: CVE-2017-4945, CVE-2017-4946, CVE-2017-4948

1. Summary

vRealize Operations for Horizon, vRealize Operations for Published
Applications, Workstation, Horizon View Client and Tools updates
resolve multiple security vulnerabilities.

2. Relevant Products

vRealize Operations for Horizon (V4H)
vRealize Operations for Published Applications (V4PA)
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Horizon View Client for Windows

3. Problem Description

a. V4H and V4PA desktop agent privilege escalation vulnerability

The V4H and V4PA desktop agents contain a privilege escalation
vulnerability. Successful exploitation of this issue could result in
a low privileged windows user escalating their privileges to SYSTEM.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2017-4946 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation/
Product Version on Severity Apply Patch Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=
=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
V4H 6.x Windows Important 6.5.1* KB52195
V4PA 6.x Windows Important 6.5.1 KB52195

*This agent is also bundled with Horizon 7.4

b. Out-of-bounds read issue via Cortado ThinPrint

VMware Workstation and Horizon View Client contain an out-of-bounds
read vulnerability in TPView.dll. On Workstation, this issue in
conjunction with other bugs may allow a guest to leak information
from host or may allow for a Denial of Service on the Windows OS
that runs Workstation. In the case of a Horizon View Client, this
issue in conjunction with other bugs may allow a View desktop to
leak information from host or may allow for a Denial of Service on
the Windows OS that runs the Horizon View Client.

Exploitation is only possible if virtual printing has been enabled.
This feature is not enabled by default on Workstation but it is
enabled by default on Horizon View.

VMware would like to thank Yakun Zhang of McAfee for reporting this
issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2017-4948 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation
Product Version on Severity Apply patch Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=
=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Horizon View 4.x Windows Important 4.7.0 None
Client for Windows
Workstation 14.x Windows Important 14.1.0 None

Workstation 14.x Linux N/A not affected N/A
Workstation 12.x Windows Important no patch planned None

Workstation 12.x Linux N/A not affected N/A

c. Guest access control vulnerability.

VMware Workstation and Fusion contain a guest access control
vulnerability. This issue may allow program execution via Unity on
locked Windows VMs.

VMware Tools must updated to 10.2.0 for each VM to resolve
CVE-2017-4945.

VMware Tools 10.2.0 is consumed by Workstation 14.1.0 and
Fusion 10.1.0 by default.

VMware would like to thank Tudor Enache of the United Arab
Emirates Computer Emergency Response Team (aeCERT) for reporting
this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2017-4945 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation
Product Version on Severity Apply patch* Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=
=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Workstation 14.x Any Important Upgrade Tools* None

Workstation 12.x Any Important no patch planned None

Fusion 10.x OS X Important Upgrade Tools* None

Fusion 8.x OS X Important no patch planned None

* VMware Tools must updated to 10.2.0 for each VM to resolve
CVE-2017-4945. VMware Tools 10.2.0 is consumed by Workstation 14.1.0
and Fusion 10.1.0 by default.

4. Solution

Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.

vRealize Operations for Horizon Desktop Agent 6.5.1
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=3D475&downloadGroup
=3DV4H-651-GA

vRealize Operations for Published Applications Desktop Agent 6.5.1
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=3D475&downloadGroup
=3DV4PA-651-GA

VMware Horizon View Client 4.7.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=3DCART18FQ4_WIN
_470&productId=3D578&rPId=3D20571

VMware Workstation Pro 14.1.0
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://www.vmware.com/support/pubs/ws_pubs.html

VMware Workstation Player 14.1.0
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://www.vmware.com/support/pubs/player_pubs.html

VMware Tools 10.2.0
Downloads:
https://my.vmware.com/web/vmware/details?
downloadGroup=3DVMTOOLS1020&productId=3D491
Documentation:
https://docs.vmware.com/en/VMware-Tools/10.2/rn/
vmware-tools-1020-release-notes.html

5. References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-4945
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-4946
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-4948
http://kb.vmware.com/kb/52195

– ————————————————————————

6. Change log

2018-01-04 VMSA-2018-0003 Initial security advisory in conjunction
with the release of VMware Horizon View Client 4.7.0 on 2018-01-04.

– ————————————————————————

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org

E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter

Copyright 2018 VMware Inc. All rights reserved.

—–BEGIN PGP SIGNATURE—–
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8

wj8DBQFaTx9yDEcm8Vbi9kMRAuQxAJsEoHi61EF6A0T8IPR/LX4mvgH2iACgwuQg
022yaolSTWh5Wdu/13NOkrE=3D
=3DqtU5
—–END PGP SIGNATURE—–

–_000_BY2PR0501MB16869C17FFDF227071008DF7B91C0BY2PR0501MB1686_
Content-Type: text/html; charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

– ————————————————————————
            &nb=
sp;           VMware Secu=
rity Advisory

Advisory ID: VMSA-2018-0003
Severity:    Important
Synopsis:    vRealize Operations for Horizon, vRealize Opera=
tions for
             Pu=
blished Applications, Workstation, Horizon View Client
             an=
d Tools updates resolve multiple security
             vu=
lnerabilities

            
Issue date:  2018-01-04
Updated on:  2018-01-04 (Initial Advisory)
CVE number:  CVE-2017-4945, CVE-2017-4946, CVE-2017-4948

1. Summary

   vRealize Operations for Horizon, vRealize Operations for Publi=
shed
   Applications, Workstation, Horizon View Client and Tools updat=
es
   resolve multiple security vulnerabilities.
   
2. Relevant Products

   vRealize Operations for Horizon (V4H)
   vRealize Operations for Published Applications (V4PA)
   VMware Workstation Pro / Player (Workstation)
   VMware Fusion Pro / Fusion (Fusion)
   VMware Horizon View Client for Windows
   
3. Problem Description

   a. V4H and V4PA desktop agent privilege escalation vulnerabili=
ty

   The V4H and V4PA desktop agents contain a privilege escalation=

   vulnerability. Successful exploitation of this issue could res=
ult in
   a low privileged windows user escalating their privileges to S=
YSTEM.

   The Common Vulnerabilities and Exposures project (cve.mitre.or=
g) has
   assigned the identifier CVE-2017-4946 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware     Product   Running&nbs=
p;          Replace with/ Miti=
gation/
   Product    Version   on  &n=
bsp;   Severity  Apply Patch   Workaround
   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=
=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
   V4H        6.x  &=
nbsp;    Windows Important   6.5.1*  &nb=
sp;     KB52195
   V4PA       6.x   =
    Windows Important   6.5.1   &nb=
sp;     KB52195

   *This agent is also bundled with Horizon 7.4
   
   b. Out-of-bounds read issue via Cortado ThinPrint
 
   VMware Workstation and Horizon View Client contain an out-of-b=
ounds
   read vulnerability in TPView.dll. On Workstation, this issue i=
n
   conjunction with other bugs may allow a guest to leak informat=
ion
   from host or may allow for a Denial of Service on the Windows =
OS
   that runs Workstation. In the case of a Horizon View Client, t=
his
   issue in conjunction with other bugs may allow a View desktop =
to
   leak information from host or may allow for a Denial of Servic=
e on
   the Windows OS that runs the Horizon View Client.
   
   Exploitation is only possible if virtual printing has been ena=
bled.
   This feature is not enabled by default on Workstation but it i=
s
   enabled by default on Horizon View.
   
   VMware would like to thank Yakun Zhang of McAfee for reporting=
this
   issue to us.
   
   The Common Vulnerabilities and Exposures project (cve.mitre.or=
g) has
   assigned the identifier CVE-2017-4948 to this issue.
   
   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware          P=
roduct Running           =
Replace with/   Mitigation
   Product         Versio=
n on      Severity  Apply patch  &n=
bsp;  Workaround
   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  =3D=3D=3D=3D=
=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D  =3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
   Horizon View      4.x   Win=
dows Important    4.7.0      &=
nbsp;    None
   Client for Windows       &n=
bsp;      
   Workstation       14.x  Win=
dows Important    14.1.0      =
    None       
    
   Workstation       14.x  Lin=
ux   N/A         not affe=
cted     N/A
   Workstation       12.x  Win=
dows Important   no patch planned None    &nb=
sp;  
    
   Workstation       12.x  Lin=
ux   N/A         not affe=
cted     N/A

   c. Guest access control vulnerability.
   
   VMware Workstation and Fusion contain a guest access control
   vulnerability. This issue may allow program execution via Unit=
y on
   locked Windows VMs.

   VMware Tools must updated to 10.2.0 for each VM to resolve
   CVE-2017-4945.
 
   VMware Tools 10.2.0 is consumed by Workstation 14.1.0 and
   Fusion 10.1.0 by default.
   
   VMware would like to thank Tudor Enache of the United Arab
   Emirates Computer Emergency Response Team (aeCERT) for reporti=
ng
   this issue to us.
   
   The Common Vulnerabilities and Exposures project (cve.mitre.or=
g) has
   assigned the identifier CVE-2017-4945 to this issue.
   
   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.
   
   VMware          P=
roduct Running           =
Replace with/   Mitigation
   Product         Versio=
n on      Severity  Apply patch*  &=
nbsp; Workaround
   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  =3D=3D=3D=3D=
=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D  =3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
   Workstation      14.x  &nbs=
p; Any    Important Upgrade Tools*   None

   Workstation      12.x  &nbs=
p; Any    Important no patch planned None   &=
nbsp;    

   Fusion         &n=
bsp; 10.x    OS X   Important Upgrade Tools* =
  None
            &nb=
sp;            =
            &nb=
sp;            =
        
   Fusion         &n=
bsp; 8.x     OS X   Important no patch planne=
d None
 
   * VMware Tools must updated to 10.2.0 for each VM to resolve
   CVE-2017-4945. VMware Tools 10.2.0 is consumed by Workstation =
14.1.0
   and Fusion 10.1.0 by default.
   
4. Solution

   Please review the patch/release notes for your product and ver=
sion
   and verify the checksum of your downloaded file.

   vRealize Operations for Horizon Desktop Agent 6.5.1
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/details?productId=3D475&d=
ownloadGroup
   =3DV4H-651-GA

   vRealize Operations for Published Applications Desktop Agent 6=
.5.1
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/details?productId=3D475&d=
ownloadGroup
   =3DV4PA-651-GA
   
   VMware Horizon View Client 4.7.0
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/details?downloadGroup=3DCART1=
8FQ4_WIN
   _470&productId=3D578&rPId=3D20571
   
   VMware Workstation Pro 14.1.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadworkstation
   https://www.vmware.com/support/pubs/ws_pubs.html
   
   VMware Workstation Player 14.1.0
   Downloads and Documentation:
   https://www.vmware.com/go/downloadplayer
   https://www.vmware.com/support/pubs/player_pubs.html
   
   VMware Tools 10.2.0
   Downloads:
   https://my.vmware.com/web/vmware/details?
   downloadGroup=3DVMTOOLS1020&productId=3D491   
   Documentation:  
   https://docs.vmware.com/en/VMware-Tools/10.2/rn/
   vmware-tools-1020-release-notes.html

5. References

   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-4=
945
   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-4=
946
   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-4=
948
   http://kb.vmware.com/kb/52195

– ————————————————————————

6. Change log

   2018-01-04 VMSA-2018-0003  Initial security advisory in c=
onjunction
   with the release of VMware Horizon View Client 4.7.0 on 2018-0=
1-04.

– ————————————————————————

7. Contact

   E-mail list for product security notifications and announcemen=
ts:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-anno=
unce

   This Security Advisory is posted to the following lists:

    security-announce@lists.vmware.com
    bugtraq@securityfocus.com
    fulldisclosure@seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html=

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   VMware Security & Compliance Blog   
   https://blogs.vmware.com/security

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2018 VMware Inc. All rights reserved.

—–BEGIN PGP SIGNATURE—–
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8

wj8DBQFaTx9yDEcm8Vbi9kMRAuQxAJsEoHi61EF6A0T8IPR/LX4mvgH2iACgwuQg
022yaolSTWh5Wdu/13NOkrE=3D
=3DqtU5
—–END PGP SIGNATURE—–

–_000_BY2PR0501MB16869C17FFDF227071008DF7B91C0BY2PR0501MB1686_–

–===============2653620258794158661==
Content-Type: text/plain; charset=”us-ascii”
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
https://lists.vmware.com/mailman/listinfo/security-announce

–===============2653620258794158661==–