Vulnerabilities > CVE-2017-4925 - NULL Pointer Dereference vulnerability in VMWare products

CVSS 5.5 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

local

low complexity

vmware

CWE-476

nessus

NVD

Published: 2017-09-15

Updated: 2022-02-03

Summary

VMware ESXi 6.5 without patch ESXi650-201707101-SG, ESXi 6.0 without patch ESXi600-201706101-SG, ESXi 5.5 without patch ESXi550-201709101-SG, Workstation (12.x before 12.5.3), Fusion (8.x before 8.5.4) contain a NULL pointer dereference vulnerability. This issue occurs when handling guest RPC requests. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs.

Vulnerable Configurations

Part	Description	Count
OS	Vmware Vmware Esxi 6.0 Vmware Esxi 6.5 Vmware Esxi 5.5	87
OS	Apple Apple MAC OS X -	1
Application	Vmware Vmware Workstation 12.0.0 Vmware Workstation 12.0.1 Vmware Workstation 12.1 Vmware Workstation 12.1.1 Vmware Workstation 12.5 Vmware Workstation 12.5.0 Vmware Workstation 12.5.1 Vmware Workstation 12.5.2 Vmware Workstation PRO 12.0.0 Vmware Workstation PRO 12.0.1 Vmware Workstation PRO 12.1 Vmware Workstation PRO 12.1.0 Vmware Workstation PRO 12.1.1 Vmware Workstation PRO 12.1.2 Vmware Workstation PRO 12.5 Vmware Workstation PRO 12.5.0 Vmware Workstation PRO 12.5.1 Vmware Workstation PRO 12.5.2 Vmware Fusion 8.0.0 Vmware Fusion 8.0.1 Vmware Fusion 8.0.2 Vmware Fusion 8.1 Vmware Fusion 8.1.0 Vmware Fusion 8.1.1 Vmware Fusion 8.1.4 Vmware Fusion 8.5 Vmware Fusion 8.5.0 Vmware Fusion 8.5.1 Vmware Fusion 8.5.2 Vmware Fusion 8.5.3	35

Common Weakness Enumeration (CWE)

CWE-476 - NULL Pointer Dereference

Nessus

NASL family	Misc.
NASL id	VMWARE_ESXI_6_0_BUILD_5485776_REMOTE.NASL
description	The version of the remote VMware ESXi 6.0 host is prior to build 5224529. It is, therefore, affected by multiple vulnerabilities in VMWare Tools and the bundled OpenSSL and Python packages, as well as a NULL pointer dereference vulnerability related to handling RPC requests that could allow an attacker to crash a virtual machine.
last seen	2020-06-01
modified	2020-06-02
plugin id	102698
published	2017-09-20
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/102698
title	ESXi 6.0 < Build 5485776 Multiple Vulnerabilities (VMSA-2017-0015) (remote check)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(102698); script_version("1.8"); script_cvs_date("Date: 2019/11/12"); script_cve_id( "CVE-2016-2183", "CVE-2016-7055", "CVE-2016-1000110", "CVE-2017-3730", "CVE-2017-3731", "CVE-2017-3732", "CVE-2017-4925" ); script_bugtraq_id( 94242, 95812, 95813, 95814, 100842 ); script_xref(name:"VMSA", value:"2017-0015"); script_name(english:"ESXi 6.0 < Build 5485776 Multiple Vulnerabilities (VMSA-2017-0015) (remote check)"); script_summary(english:"Checks the ESXi version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESXi 6.0 host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of the remote VMware ESXi 6.0 host is prior to build 5224529. It is, therefore, affected by multiple vulnerabilities in VMWare Tools and the bundled OpenSSL and Python packages, as well as a NULL pointer dereference vulnerability related to handling RPC requests that could allow an attacker to crash a virtual machine."); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0015.html"); # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2149960 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e03fa029"); script_set_attribute(attribute:"solution", value: "Apply patch ESXi600-201706101-SG according to the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2183"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/06"); script_set_attribute(attribute:"patch_publication_date", value:"2017/06/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/20"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit("Host/VMware/version"); rel = get_kb_item_or_exit("Host/VMware/release"); if ("ESXi" >!< rel) audit(AUDIT_OS_NOT, "ESXi"); if ("VMware ESXi 6.0" >!< rel) audit(AUDIT_OS_NOT, "ESXi 6.0"); match = pregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel); if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, "VMware ESXi", "6.0"); build = int(match[1]); fixed_build = 5485776; if (build < fixed_build) { report = '\n ESXi version : ' + ver + '\n Installed build : ' + build + '\n Fixed build : ' + fixed_build + '\n'; security_report_v4(port:0, extra:report, severity:SECURITY_WARNING); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware ESXi", ver - "ESXi " + " build " + build);

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_FUSION_VMSA_2017_0015__8_5_4.NASL
description	The version of VMware Fusion installed on the remote macOS or Mac OS X host is 8.x prior to 8.5.4. It is, therefore, affected by a NULL pointer dereference error related to handling RPC requests that allows an attacker to crash a virtual machine.
last seen	2020-06-01
modified	2020-06-02
plugin id	103373
published	2017-09-21
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/103373
title	VMware Fusion 8.x < 8.5.4 DoS Vulnerability (VMSA-2017-0015) (macOS)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(103373); script_version("1.6"); script_cvs_date("Date: 2019/11/12"); script_cve_id("CVE-2017-4925"); script_bugtraq_id(100842); script_xref(name:"VMSA", value:"2017-0015"); script_name(english:"VMware Fusion 8.x < 8.5.4 DoS Vulnerability (VMSA-2017-0015) (macOS)"); script_summary(english:"Checks the VMware Fusion version."); script_set_attribute(attribute:"synopsis", value: "A virtualization application installed on the remote macOS or Mac OS X host is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "The version of VMware Fusion installed on the remote macOS or Mac OS X host is 8.x prior to 8.5.4. It is, therefore, affected by a NULL pointer dereference error related to handling RPC requests that allows an attacker to crash a virtual machine."); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/in/security/advisories/VMSA-2017-0015.html"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware Fusion version 8.5.4 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4925"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/15"); script_set_attribute(attribute:"patch_publication_date", value:"2017/09/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/21"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:fusion"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("macosx_fusion_detect.nasl"); script_require_keys("Host/local_checks_enabled", "installed_sw/VMware Fusion", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("install_func.inc"); include("misc_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); get_kb_item_or_exit("Host/local_checks_enabled"); os = get_kb_item("Host/MacOSX/Version"); if (!os) audit(AUDIT_OS_NOT, "Mac OS X"); install = get_single_install(app_name:"VMware Fusion", exit_if_unknown_ver:TRUE); version = install['version']; path = install['path']; fix = ''; if (version =~ "^8\.") fix = '8.5.4'; if (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0) { report += '\n Path : ' + path + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_report_v4(port:0, extra:report, severity:SECURITY_NOTE); } else audit(AUDIT_INST_PATH_NOT_VULN, "VMware Fusion", version, path);

NASL family	Misc.
NASL id	VMWARE_ESXI_5_5_BUILD_6480267_REMOTE.NASL
description	The version of the remote VMware ESXi 5.5 host is prior to build 6480267. It is, therefore, affected by a NULL pointer dereference vulnerability related to handling RPC requests that could allow an attacker to crash a virtual machine.
last seen	2020-06-01
modified	2020-06-02
plugin id	103375
published	2017-09-21
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/103375
title	ESXi 5.5 < Build 6480267 RPC NULL Pointer Dereference Vulnerability (VMSA-2017-0015) (remote check)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(103375); script_version("3.7"); script_cvs_date("Date: 2019/11/12"); script_cve_id("CVE-2017-4925"); script_bugtraq_id(100842); script_xref(name:"VMSA", value:"2017-0015"); script_name(english:"ESXi 5.5 < Build 6480267 RPC NULL Pointer Dereference Vulnerability (VMSA-2017-0015) (remote check)"); script_summary(english:"Checks the ESXi version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESXi 5.5 host is affected by an RPC NULL pointer dereference vulnerability."); script_set_attribute(attribute:"description", value: "The version of the remote VMware ESXi 5.5 host is prior to build 6480267. It is, therefore, affected by a NULL pointer dereference vulnerability related to handling RPC requests that could allow an attacker to crash a virtual machine."); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0015.html"); script_set_attribute(attribute:"solution", value: "Apply patch ESXi550-201709101-SG according to the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4925"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/14"); script_set_attribute(attribute:"patch_publication_date", value:"2017/09/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/21"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.5"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit("Host/VMware/version"); rel = get_kb_item_or_exit("Host/VMware/release"); if ("ESXi" >!< rel) audit(AUDIT_OS_NOT, "ESXi"); if ("VMware ESXi 5.5" >!< rel) audit(AUDIT_OS_NOT, "ESXi 5.5"); match = pregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel); if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, "VMware ESXi", "5.5"); build = int(match[1]); fixed_build = 6480267; if (build < fixed_build) { report = '\n ESXi version : ' + ver + '\n Installed build : ' + build + '\n Fixed build : ' + fixed_build + '\n'; security_report_v4(port:0, extra:report, severity:SECURITY_NOTE); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware ESXi", ver - "ESXi " + " build " + build);

NASL family	General
NASL id	VMWARE_WORKSTATION_LINUX_VMSA_2017_0015.NASL
description	The version of VMware Workstation installed on the remote Linux host is 12.x prior to 12.5.7. It is, therefore, affected by the following vulnerabilities: - A remote code execution vulnerability exists in VMware workstation within the SVGA device. An attacker with user access can exploit this to execute arbitrary code. (CVE-2017-4924) - A denial of service vulnerability exists in VMware workstation due to a NULL pointer deference when handling guest RPC requests. An attacker with guest access can exploit this to crash their VMs. NOTE: This vulnerability only affects VMware Workstation 12.5.2 and below. (CVE-2017-4925)
last seen	2020-06-01
modified	2020-06-02
plugin id	103379
published	2017-09-21
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/103379
title	VMware Workstation 12.x < 12.5.7 Multiple Vulnerabilities (VMSA-2017-0015) (Linux)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(103379); script_version("1.8"); script_cvs_date("Date: 2019/11/12"); script_cve_id("CVE-2017-4924", "CVE-2017-4925"); script_bugtraq_id(100842, 100843); script_xref(name:"VMSA", value:"2017-0015"); script_name(english:"VMware Workstation 12.x < 12.5.7 Multiple Vulnerabilities (VMSA-2017-0015) (Linux)"); script_summary(english:"Checks the VMware Workstation version."); script_set_attribute(attribute:"synopsis", value: "A virtualization application installed on the remote Linux host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of VMware Workstation installed on the remote Linux host is 12.x prior to 12.5.7. It is, therefore, affected by the following vulnerabilities: - A remote code execution vulnerability exists in VMware workstation within the SVGA device. An attacker with user access can exploit this to execute arbitrary code. (CVE-2017-4924) - A denial of service vulnerability exists in VMware workstation due to a NULL pointer deference when handling guest RPC requests. An attacker with guest access can exploit this to crash their VMs. NOTE: This vulnerability only affects VMware Workstation 12.5.2 and below. (CVE-2017-4925)"); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0015.html"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware Workstation version 12.5.7 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4924"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/09"); script_set_attribute(attribute:"patch_publication_date", value:"2017/09/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/21"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:workstation"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"General"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_workstation_linux_installed.nbin"); script_require_keys("Host/VMware Workstation/Version", "Settings/ParanoidReport"); script_exclude_keys("SMB/Registry/Enumerated"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); if (get_kb_item("SMB/Registry/Enumerated")) audit(AUDIT_OS_NOT, "Linux", "Windows"); version = get_kb_item_or_exit("Host/VMware Workstation/Version"); fix = ''; if (version =~ "^12\.") fix = '12.5.7'; if (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0) { report += '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_report_v4(port:0, extra:report, severity:SECURITY_HOLE); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware Workstation", version);

NASL family	Windows
NASL id	VMWARE_WORKSTATION_WIN_VMSA_2017_0015.NASL
description	The version of VMware Workstation installed on the remote Windows host is 12.x prior to 12.5.7. It is, therefore, affected by the following vulnerabilities: - A remote code execution vulnerability exists in VMware workstation within the SVGA device. An attacker with user access can exploit this to execute arbitrary code. (CVE-2017-4924) - A denial of service vulnerability exists in VMware workstation due to a NULL pointer deference when handling guest RPC requests. An attacker with guest access can exploit this to crash their VMs. NOTE: This vulnerability only affects VMware Workstation 12.5.2 and below. (CVE-2017-4925)
last seen	2020-06-01
modified	2020-06-02
plugin id	103380
published	2017-09-21
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/103380
title	VMware Workstation 12.x < 12.5.7 Multiple Vulnerabilities (VMSA-2017-0015)

NASL family	Misc.
NASL id	VMWARE_ESXI_6_5_BUILD_5969300_REMOTE.NASL
description	The version of the remote VMware ESXi 6.5 host is prior to build 5969300. It is, therefore, affected by multiple vulnerabilities : - An out-of-bounds write error related to SVGA devices that allows a guest virtual machine to execute code on the host machine. (CVE-2017-4924) - A NULL pointer dereference vulnerability related to handling RPC requests that could allow an attacker to crash a virtual machine. (CVE-2017-4925)
last seen	2020-06-01
modified	2020-06-02
plugin id	103376
published	2017-09-21
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/103376
title	ESXi 6.5 < Build 5969300 Multiple Vulnerabilities (VMSA-2017-0015) (remote check)

NASL family	VMware ESX Local Security Checks
NASL id	VMWARE_VMSA-2017-0015.NASL
description	a. Out-of-bounds write vulnerability in SVGA VMware ESXi, Workstation and Fusion contain an out-of-bounds write vulnerability in SVGA device. This issue may allow a guest to execute code on the host. VMware would like to thank Nico Golde and Ralf-Philipp Weinmann of Comsecuris UG (haftungsbeschraenkt) working with ZDI for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4924 to this issue. b. Guest RPC NULL pointer dereference vulnerability VMware ESXi, Workstation and Fusion contain a NULL pointer dereference vulnerability. This issue occurs when handling guest RPC requests. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. VMware would like to thank Zhang Haitao for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4925 to this issue. c. Stored XSS in H5 Client vCenter Server H5 Client contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page. VMware would like to thank Thomas Ornetzeder for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4926 to this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	103357
published	2017-09-20
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/103357
title	VMSA-2017-0015 : VMware ESXi, vCenter Server, Fusion and Workstation updates resolve multiple security vulnerabilities

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

References