Vulnerabilities > CVE-2017-4924 - Out-of-bounds Write vulnerability in VMWare Esxi, Fusion and Workstation PRO
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
VMware ESXi (ESXi 6.5 without patch ESXi650-201707101-SG), Workstation (12.x before 12.5.7) and Fusion (8.x before 8.5.8) contain an out-of-bounds write vulnerability in SVGA device. This issue may allow a guest to execute code on the host.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family General NASL id VMWARE_WORKSTATION_LINUX_VMSA_2017_0015.NASL description The version of VMware Workstation installed on the remote Linux host is 12.x prior to 12.5.7. It is, therefore, affected by the following vulnerabilities: - A remote code execution vulnerability exists in VMware workstation within the SVGA device. An attacker with user access can exploit this to execute arbitrary code. (CVE-2017-4924) - A denial of service vulnerability exists in VMware workstation due to a NULL pointer deference when handling guest RPC requests. An attacker with guest access can exploit this to crash their VMs. NOTE: This vulnerability only affects VMware Workstation 12.5.2 and below. (CVE-2017-4925) last seen 2020-06-01 modified 2020-06-02 plugin id 103379 published 2017-09-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103379 title VMware Workstation 12.x < 12.5.7 Multiple Vulnerabilities (VMSA-2017-0015) (Linux) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(103379); script_version("1.8"); script_cvs_date("Date: 2019/11/12"); script_cve_id("CVE-2017-4924", "CVE-2017-4925"); script_bugtraq_id(100842, 100843); script_xref(name:"VMSA", value:"2017-0015"); script_name(english:"VMware Workstation 12.x < 12.5.7 Multiple Vulnerabilities (VMSA-2017-0015) (Linux)"); script_summary(english:"Checks the VMware Workstation version."); script_set_attribute(attribute:"synopsis", value: "A virtualization application installed on the remote Linux host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of VMware Workstation installed on the remote Linux host is 12.x prior to 12.5.7. It is, therefore, affected by the following vulnerabilities: - A remote code execution vulnerability exists in VMware workstation within the SVGA device. An attacker with user access can exploit this to execute arbitrary code. (CVE-2017-4924) - A denial of service vulnerability exists in VMware workstation due to a NULL pointer deference when handling guest RPC requests. An attacker with guest access can exploit this to crash their VMs. NOTE: This vulnerability only affects VMware Workstation 12.5.2 and below. (CVE-2017-4925)"); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0015.html"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware Workstation version 12.5.7 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4924"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/09"); script_set_attribute(attribute:"patch_publication_date", value:"2017/09/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/21"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:workstation"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"General"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_workstation_linux_installed.nbin"); script_require_keys("Host/VMware Workstation/Version", "Settings/ParanoidReport"); script_exclude_keys("SMB/Registry/Enumerated"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); if (get_kb_item("SMB/Registry/Enumerated")) audit(AUDIT_OS_NOT, "Linux", "Windows"); version = get_kb_item_or_exit("Host/VMware Workstation/Version"); fix = ''; if (version =~ "^12\.") fix = '12.5.7'; if (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0) { report += '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_report_v4(port:0, extra:report, severity:SECURITY_HOLE); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware Workstation", version);
NASL family Windows NASL id VMWARE_WORKSTATION_WIN_VMSA_2017_0015.NASL description The version of VMware Workstation installed on the remote Windows host is 12.x prior to 12.5.7. It is, therefore, affected by the following vulnerabilities: - A remote code execution vulnerability exists in VMware workstation within the SVGA device. An attacker with user access can exploit this to execute arbitrary code. (CVE-2017-4924) - A denial of service vulnerability exists in VMware workstation due to a NULL pointer deference when handling guest RPC requests. An attacker with guest access can exploit this to crash their VMs. NOTE: This vulnerability only affects VMware Workstation 12.5.2 and below. (CVE-2017-4925) last seen 2020-06-01 modified 2020-06-02 plugin id 103380 published 2017-09-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103380 title VMware Workstation 12.x < 12.5.7 Multiple Vulnerabilities (VMSA-2017-0015) NASL family MacOS X Local Security Checks NASL id MACOSX_FUSION_VMSA_2017_0015__8_5_8.NASL description The version of VMware Fusion installed on the remote macOS or Mac OS X host is 8.x prior to 8.5.8. It is, therefore, affected by an out-of- bounds write error related to SVGA devices that allows a guest virtual machine to execute code on the host. last seen 2020-06-01 modified 2020-06-02 plugin id 103374 published 2017-09-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103374 title VMware Fusion 8.x < 8.5.8 SVGA Code Execution Vulnerability (VMSA-2017-0015) (macOS) NASL family Misc. NASL id VMWARE_ESXI_6_5_BUILD_5969300_REMOTE.NASL description The version of the remote VMware ESXi 6.5 host is prior to build 5969300. It is, therefore, affected by multiple vulnerabilities : - An out-of-bounds write error related to SVGA devices that allows a guest virtual machine to execute code on the host machine. (CVE-2017-4924) - A NULL pointer dereference vulnerability related to handling RPC requests that could allow an attacker to crash a virtual machine. (CVE-2017-4925) last seen 2020-06-01 modified 2020-06-02 plugin id 103376 published 2017-09-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103376 title ESXi 6.5 < Build 5969300 Multiple Vulnerabilities (VMSA-2017-0015) (remote check) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2017-0015.NASL description a. Out-of-bounds write vulnerability in SVGA VMware ESXi, Workstation and Fusion contain an out-of-bounds write vulnerability in SVGA device. This issue may allow a guest to execute code on the host. VMware would like to thank Nico Golde and Ralf-Philipp Weinmann of Comsecuris UG (haftungsbeschraenkt) working with ZDI for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4924 to this issue. b. Guest RPC NULL pointer dereference vulnerability VMware ESXi, Workstation and Fusion contain a NULL pointer dereference vulnerability. This issue occurs when handling guest RPC requests. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. VMware would like to thank Zhang Haitao for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4925 to this issue. c. Stored XSS in H5 Client vCenter Server H5 Client contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page. VMware would like to thank Thomas Ornetzeder for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4926 to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 103357 published 2017-09-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103357 title VMSA-2017-0015 : VMware ESXi, vCenter Server, Fusion and Workstation updates resolve multiple security vulnerabilities
References
- http://www.securityfocus.com/bid/100843
- http://www.securityfocus.com/bid/100843
- http://www.securitytracker.com/id/1039365
- http://www.securitytracker.com/id/1039365
- http://www.securitytracker.com/id/1039366
- http://www.securitytracker.com/id/1039366
- https://0patch.blogspot.com/2017/10/micropatching-hypervisor-with-running.html
- https://0patch.blogspot.com/2017/10/micropatching-hypervisor-with-running.html
- https://www.vmware.com/security/advisories/VMSA-2017-0015.html
- https://www.vmware.com/security/advisories/VMSA-2017-0015.html