{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2017-027.pdf"
    },
    "title": "Multiple Security Vulnerabilities Affecting VMware Products",
    "serial_number": "2017-027",
    "publish_date": "22-12-2017 14:58:00",
    "description": "On the 19th of December 2017, VMware released updates to address multiple security vulnerabilities in ESXi, vCenter Server Appliance, Workstation and Fusion. The most serious of the vulnerabilities could allow remote arbitrary code execution in a virtual machine.",
    "url_title": "2017-027",
    "content_markdown": "---\ntitle: 'Multiple Security Vulnerabilities Affecting VMware Products'\nversion: '1.0'\nnumber: '2017-027'\ndate: 'December 22, 2017'\n---\n\n_History:_\n\n* _22/12/2017 --- v1.0: Initial publication_\n\n# Summary\n\nOn the 19th of December 2017, VMware released updates to address multiple security vulnerabilities in ESXi, vCenter Server Appliance, Workstation and Fusion [1]. The most serious of the vulnerabilities could allow remote arbitrary code execution in a virtual machine.\n\n\n# Technical Details\n\nThe vulnerabilities received four CVEs: CVE-2017-4941, CVE-2017-4933, CVE-2017-4940, and CVE-2017-4943.\n\nThe first vulnerability (CVE-2017-4941) can be exploited by a remote attacker to execute code in a virtual machine via an authenticated Virtual Network Computing (VNC) session. According to Cisco Talos _A specially crafted set of VNC packets can cause a type confusion resulting in stack overwrite, which could lead to code execution_ [2]. ESXi, Workstation and Fusion are affected [1].\n\nThe second vulnerability (CVE-2017-4933) allows an attacker to execute arbitrary code in a virtual machine using specially crafted VNC packets. In that case _A specially crafted set of VNC packets can cause a heap overflow resulting in heap corruption_ [3]. ESXi, Workstation and Fusion are affected [1].\n\nThe third vulnerability (CVE-2017-4940) allows for persistent cross-site scripting (XSS) in ESXi Host Client. It could be exploited by injecting Javascript code that gets executed by other users [1].\n\nLast vulnerability is (CVE-2017-4943) is a privilege escalation affecting VMware vCenter Server Appliance `showlog` plugin. It can be exploited by an attacker with low privileges to gain root level access [1].\n\n# Products Affected\n\nSeveral versions and components of VMware ESXi, vCenter Server Appliance, Workstation and Fusion are affected [1].\n\n# Recommendations\n\n* Review the patch level for your product and version and update accordingly [1].\n* As a workaround for CVE-2017-4941 and CVE-2017-4933 vulnerabilities: Exploitation can be blocked by disabling VNC in `.vmx` configuration of VMS and blocking the traffic on firewall.\n\n# References\n\n[1] <https://www.vmware.com/security/advisories/VMSA-2017-0021.html>\n\n[2] <https://www.talosintelligence.com/reports/TALOS-2017-0369>\n\n[3] <https://www.talosintelligence.com/reports/TALOS-2017-0368>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>22/12/2017 --- v1.0: Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On the 19th of December 2017, VMware released updates to address multiple security vulnerabilities in ESXi, vCenter Server Appliance, Workstation and Fusion [1]. The most serious of the vulnerabilities could allow remote arbitrary code execution in a virtual machine.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerabilities received four CVEs: CVE-2017-4941, CVE-2017-4933, CVE-2017-4940, and CVE-2017-4943.</p><p>The first vulnerability (CVE-2017-4941) can be exploited by a remote attacker to execute code in a virtual machine via an authenticated Virtual Network Computing (VNC) session. According to Cisco Talos <em>A specially crafted set of VNC packets can cause a type confusion resulting in stack overwrite, which could lead to code execution</em> [2]. ESXi, Workstation and Fusion are affected [1].</p><p>The second vulnerability (CVE-2017-4933) allows an attacker to execute arbitrary code in a virtual machine using specially crafted VNC packets. In that case <em>A specially crafted set of VNC packets can cause a heap overflow resulting in heap corruption</em> [3]. ESXi, Workstation and Fusion are affected [1].</p><p>The third vulnerability (CVE-2017-4940) allows for persistent cross-site scripting (XSS) in ESXi Host Client. It could be exploited by injecting Javascript code that gets executed by other users [1].</p><p>Last vulnerability is (CVE-2017-4943) is a privilege escalation affecting VMware vCenter Server Appliance <code>showlog</code> plugin. It can be exploited by an attacker with low privileges to gain root level access [1].</p><h2 id=\"products-affected\">Products Affected</h2><p>Several versions and components of VMware ESXi, vCenter Server Appliance, Workstation and Fusion are affected [1].</p><h2 id=\"recommendations\">Recommendations</h2><ul><li>Review the patch level for your product and version and update accordingly [1].</li><li>As a workaround for CVE-2017-4941 and CVE-2017-4933 vulnerabilities: Exploitation can be blocked by disabling VNC in <code>.vmx</code> configuration of VMS and blocking the traffic on firewall.</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.vmware.com/security/advisories/VMSA-2017-0021.html\">https://www.vmware.com/security/advisories/VMSA-2017-0021.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.talosintelligence.com/reports/TALOS-2017-0369\">https://www.talosintelligence.com/reports/TALOS-2017-0369</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.talosintelligence.com/reports/TALOS-2017-0368\">https://www.talosintelligence.com/reports/TALOS-2017-0368</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}