Vulnerabilities > CVE-2017-4925 - NULL Pointer Dereference vulnerability in VMWare products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
VMware ESXi 6.5 without patch ESXi650-201707101-SG, ESXi 6.0 without patch ESXi600-201706101-SG, ESXi 5.5 without patch ESXi550-201709101-SG, Workstation (12.x before 12.5.3), Fusion (8.x before 8.5.4) contain a NULL pointer dereference vulnerability. This issue occurs when handling guest RPC requests. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Misc. NASL id VMWARE_ESXI_6_0_BUILD_5485776_REMOTE.NASL description The version of the remote VMware ESXi 6.0 host is prior to build 5224529. It is, therefore, affected by multiple vulnerabilities in VMWare Tools and the bundled OpenSSL and Python packages, as well as a NULL pointer dereference vulnerability related to handling RPC requests that could allow an attacker to crash a virtual machine. last seen 2020-06-01 modified 2020-06-02 plugin id 102698 published 2017-09-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102698 title ESXi 6.0 < Build 5485776 Multiple Vulnerabilities (VMSA-2017-0015) (remote check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(102698); script_version("1.8"); script_cvs_date("Date: 2019/11/12"); script_cve_id( "CVE-2016-2183", "CVE-2016-7055", "CVE-2016-1000110", "CVE-2017-3730", "CVE-2017-3731", "CVE-2017-3732", "CVE-2017-4925" ); script_bugtraq_id( 94242, 95812, 95813, 95814, 100842 ); script_xref(name:"VMSA", value:"2017-0015"); script_name(english:"ESXi 6.0 < Build 5485776 Multiple Vulnerabilities (VMSA-2017-0015) (remote check)"); script_summary(english:"Checks the ESXi version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESXi 6.0 host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of the remote VMware ESXi 6.0 host is prior to build 5224529. It is, therefore, affected by multiple vulnerabilities in VMWare Tools and the bundled OpenSSL and Python packages, as well as a NULL pointer dereference vulnerability related to handling RPC requests that could allow an attacker to crash a virtual machine."); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0015.html"); # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2149960 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e03fa029"); script_set_attribute(attribute:"solution", value: "Apply patch ESXi600-201706101-SG according to the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2183"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/06"); script_set_attribute(attribute:"patch_publication_date", value:"2017/06/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/20"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit("Host/VMware/version"); rel = get_kb_item_or_exit("Host/VMware/release"); if ("ESXi" >!< rel) audit(AUDIT_OS_NOT, "ESXi"); if ("VMware ESXi 6.0" >!< rel) audit(AUDIT_OS_NOT, "ESXi 6.0"); match = pregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel); if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, "VMware ESXi", "6.0"); build = int(match[1]); fixed_build = 5485776; if (build < fixed_build) { report = '\n ESXi version : ' + ver + '\n Installed build : ' + build + '\n Fixed build : ' + fixed_build + '\n'; security_report_v4(port:0, extra:report, severity:SECURITY_WARNING); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware ESXi", ver - "ESXi " + " build " + build);
NASL family MacOS X Local Security Checks NASL id MACOSX_FUSION_VMSA_2017_0015__8_5_4.NASL description The version of VMware Fusion installed on the remote macOS or Mac OS X host is 8.x prior to 8.5.4. It is, therefore, affected by a NULL pointer dereference error related to handling RPC requests that allows an attacker to crash a virtual machine. last seen 2020-06-01 modified 2020-06-02 plugin id 103373 published 2017-09-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103373 title VMware Fusion 8.x < 8.5.4 DoS Vulnerability (VMSA-2017-0015) (macOS) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(103373); script_version("1.6"); script_cvs_date("Date: 2019/11/12"); script_cve_id("CVE-2017-4925"); script_bugtraq_id(100842); script_xref(name:"VMSA", value:"2017-0015"); script_name(english:"VMware Fusion 8.x < 8.5.4 DoS Vulnerability (VMSA-2017-0015) (macOS)"); script_summary(english:"Checks the VMware Fusion version."); script_set_attribute(attribute:"synopsis", value: "A virtualization application installed on the remote macOS or Mac OS X host is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "The version of VMware Fusion installed on the remote macOS or Mac OS X host is 8.x prior to 8.5.4. It is, therefore, affected by a NULL pointer dereference error related to handling RPC requests that allows an attacker to crash a virtual machine."); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/in/security/advisories/VMSA-2017-0015.html"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware Fusion version 8.5.4 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4925"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/15"); script_set_attribute(attribute:"patch_publication_date", value:"2017/09/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/21"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:fusion"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("macosx_fusion_detect.nasl"); script_require_keys("Host/local_checks_enabled", "installed_sw/VMware Fusion", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("install_func.inc"); include("misc_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); get_kb_item_or_exit("Host/local_checks_enabled"); os = get_kb_item("Host/MacOSX/Version"); if (!os) audit(AUDIT_OS_NOT, "Mac OS X"); install = get_single_install(app_name:"VMware Fusion", exit_if_unknown_ver:TRUE); version = install['version']; path = install['path']; fix = ''; if (version =~ "^8\.") fix = '8.5.4'; if (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0) { report += '\n Path : ' + path + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_report_v4(port:0, extra:report, severity:SECURITY_NOTE); } else audit(AUDIT_INST_PATH_NOT_VULN, "VMware Fusion", version, path);
NASL family Misc. NASL id VMWARE_ESXI_5_5_BUILD_6480267_REMOTE.NASL description The version of the remote VMware ESXi 5.5 host is prior to build 6480267. It is, therefore, affected by a NULL pointer dereference vulnerability related to handling RPC requests that could allow an attacker to crash a virtual machine. last seen 2020-06-01 modified 2020-06-02 plugin id 103375 published 2017-09-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103375 title ESXi 5.5 < Build 6480267 RPC NULL Pointer Dereference Vulnerability (VMSA-2017-0015) (remote check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(103375); script_version("3.7"); script_cvs_date("Date: 2019/11/12"); script_cve_id("CVE-2017-4925"); script_bugtraq_id(100842); script_xref(name:"VMSA", value:"2017-0015"); script_name(english:"ESXi 5.5 < Build 6480267 RPC NULL Pointer Dereference Vulnerability (VMSA-2017-0015) (remote check)"); script_summary(english:"Checks the ESXi version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESXi 5.5 host is affected by an RPC NULL pointer dereference vulnerability."); script_set_attribute(attribute:"description", value: "The version of the remote VMware ESXi 5.5 host is prior to build 6480267. It is, therefore, affected by a NULL pointer dereference vulnerability related to handling RPC requests that could allow an attacker to crash a virtual machine."); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0015.html"); script_set_attribute(attribute:"solution", value: "Apply patch ESXi550-201709101-SG according to the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4925"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/14"); script_set_attribute(attribute:"patch_publication_date", value:"2017/09/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/21"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.5"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit("Host/VMware/version"); rel = get_kb_item_or_exit("Host/VMware/release"); if ("ESXi" >!< rel) audit(AUDIT_OS_NOT, "ESXi"); if ("VMware ESXi 5.5" >!< rel) audit(AUDIT_OS_NOT, "ESXi 5.5"); match = pregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel); if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, "VMware ESXi", "5.5"); build = int(match[1]); fixed_build = 6480267; if (build < fixed_build) { report = '\n ESXi version : ' + ver + '\n Installed build : ' + build + '\n Fixed build : ' + fixed_build + '\n'; security_report_v4(port:0, extra:report, severity:SECURITY_NOTE); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware ESXi", ver - "ESXi " + " build " + build);
NASL family General NASL id VMWARE_WORKSTATION_LINUX_VMSA_2017_0015.NASL description The version of VMware Workstation installed on the remote Linux host is 12.x prior to 12.5.7. It is, therefore, affected by the following vulnerabilities: - A remote code execution vulnerability exists in VMware workstation within the SVGA device. An attacker with user access can exploit this to execute arbitrary code. (CVE-2017-4924) - A denial of service vulnerability exists in VMware workstation due to a NULL pointer deference when handling guest RPC requests. An attacker with guest access can exploit this to crash their VMs. NOTE: This vulnerability only affects VMware Workstation 12.5.2 and below. (CVE-2017-4925) last seen 2020-06-01 modified 2020-06-02 plugin id 103379 published 2017-09-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103379 title VMware Workstation 12.x < 12.5.7 Multiple Vulnerabilities (VMSA-2017-0015) (Linux) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(103379); script_version("1.8"); script_cvs_date("Date: 2019/11/12"); script_cve_id("CVE-2017-4924", "CVE-2017-4925"); script_bugtraq_id(100842, 100843); script_xref(name:"VMSA", value:"2017-0015"); script_name(english:"VMware Workstation 12.x < 12.5.7 Multiple Vulnerabilities (VMSA-2017-0015) (Linux)"); script_summary(english:"Checks the VMware Workstation version."); script_set_attribute(attribute:"synopsis", value: "A virtualization application installed on the remote Linux host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of VMware Workstation installed on the remote Linux host is 12.x prior to 12.5.7. It is, therefore, affected by the following vulnerabilities: - A remote code execution vulnerability exists in VMware workstation within the SVGA device. An attacker with user access can exploit this to execute arbitrary code. (CVE-2017-4924) - A denial of service vulnerability exists in VMware workstation due to a NULL pointer deference when handling guest RPC requests. An attacker with guest access can exploit this to crash their VMs. NOTE: This vulnerability only affects VMware Workstation 12.5.2 and below. (CVE-2017-4925)"); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0015.html"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware Workstation version 12.5.7 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4924"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/09"); script_set_attribute(attribute:"patch_publication_date", value:"2017/09/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/21"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:workstation"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"General"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_workstation_linux_installed.nbin"); script_require_keys("Host/VMware Workstation/Version", "Settings/ParanoidReport"); script_exclude_keys("SMB/Registry/Enumerated"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); if (get_kb_item("SMB/Registry/Enumerated")) audit(AUDIT_OS_NOT, "Linux", "Windows"); version = get_kb_item_or_exit("Host/VMware Workstation/Version"); fix = ''; if (version =~ "^12\.") fix = '12.5.7'; if (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0) { report += '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_report_v4(port:0, extra:report, severity:SECURITY_HOLE); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware Workstation", version);
NASL family Windows NASL id VMWARE_WORKSTATION_WIN_VMSA_2017_0015.NASL description The version of VMware Workstation installed on the remote Windows host is 12.x prior to 12.5.7. It is, therefore, affected by the following vulnerabilities: - A remote code execution vulnerability exists in VMware workstation within the SVGA device. An attacker with user access can exploit this to execute arbitrary code. (CVE-2017-4924) - A denial of service vulnerability exists in VMware workstation due to a NULL pointer deference when handling guest RPC requests. An attacker with guest access can exploit this to crash their VMs. NOTE: This vulnerability only affects VMware Workstation 12.5.2 and below. (CVE-2017-4925) last seen 2020-06-01 modified 2020-06-02 plugin id 103380 published 2017-09-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103380 title VMware Workstation 12.x < 12.5.7 Multiple Vulnerabilities (VMSA-2017-0015) NASL family Misc. NASL id VMWARE_ESXI_6_5_BUILD_5969300_REMOTE.NASL description The version of the remote VMware ESXi 6.5 host is prior to build 5969300. It is, therefore, affected by multiple vulnerabilities : - An out-of-bounds write error related to SVGA devices that allows a guest virtual machine to execute code on the host machine. (CVE-2017-4924) - A NULL pointer dereference vulnerability related to handling RPC requests that could allow an attacker to crash a virtual machine. (CVE-2017-4925) last seen 2020-06-01 modified 2020-06-02 plugin id 103376 published 2017-09-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103376 title ESXi 6.5 < Build 5969300 Multiple Vulnerabilities (VMSA-2017-0015) (remote check) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2017-0015.NASL description a. Out-of-bounds write vulnerability in SVGA VMware ESXi, Workstation and Fusion contain an out-of-bounds write vulnerability in SVGA device. This issue may allow a guest to execute code on the host. VMware would like to thank Nico Golde and Ralf-Philipp Weinmann of Comsecuris UG (haftungsbeschraenkt) working with ZDI for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4924 to this issue. b. Guest RPC NULL pointer dereference vulnerability VMware ESXi, Workstation and Fusion contain a NULL pointer dereference vulnerability. This issue occurs when handling guest RPC requests. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. VMware would like to thank Zhang Haitao for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4925 to this issue. c. Stored XSS in H5 Client vCenter Server H5 Client contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page. VMware would like to thank Thomas Ornetzeder for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4926 to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 103357 published 2017-09-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103357 title VMSA-2017-0015 : VMware ESXi, vCenter Server, Fusion and Workstation updates resolve multiple security vulnerabilities
References
- http://www.securityfocus.com/bid/100842
- http://www.securityfocus.com/bid/100842
- http://www.securitytracker.com/id/1039367
- http://www.securitytracker.com/id/1039367
- http://www.securitytracker.com/id/1039368
- http://www.securitytracker.com/id/1039368
- https://www.vmware.com/security/advisories/VMSA-2017-0015.html
- https://www.vmware.com/security/advisories/VMSA-2017-0015.html