--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Vulnerabilities in VMWare ESXi, Workstation, and Fusion' version: '1.1' number: '2017-007' date: 'March 31, 2017' --- _History:_ * _29/03/2017 --- v1.0: Initial publication_ * _31/03/2017 --- v1.1: Correction regarding VMWare ESXi 5.5_ # Summary On March 28, 2017, VMWare released an advisory for VMWare ESXi, Workstation, and Fusion products [1]. The advisory addresses critical and moderate security issues. Critical vulnerabilities may allow a guest system to execute code on the host system (CVE-2017-4902, CVE-2017-4903, and CVE-2017-4904). The other vulnerability (CVE-2017-4905) may lead to information leak from the guest system. These vulnerabilities were discovered by two teams (Team Sniper and Qihoo 360) during Pwn2Own event at CanSecWest [2]. # Technical Details The discovered vulnerabilities targeting VMWare products are: * CVE-2017-4902 (critical): Heap overflow leading to arbitrary code execution * CVE-2017-4903 (critical): Uninitialized stack value leading to arbitrary code execution * CVE-2017-4904 (critical): Uninitialized stack value leading to arbitrary code execution * CVE-2017-4905 (moderate): Uninitialized memory read leading to information disclosure # Vulnerable Systems * VMWare ESXi 5.5 - CVE-2017-4904 (moderate) and CVE-2017-4905 (moderate) * VMWare ESXi 6.0 - all vulnerabilities except CVE-2017-4902 * VMWare ESXi 6.5 - all vulnerabilities * VMware Workstation 12.X - all vulnerabilities * VMware Fusion 8.x (OS X) - all vulnerabilities _Note:_ VMware ESXi 6.0 is not affected by CVE-2017-4902. Furthermore, CVE-2017-4904 only leads to denial of service on VMWare ESXi 5.5 (moderate). # Recommendations Apply upgrades provided by VMWare for all affected products as soon as possible [1]. No other workarounds are available. # References [1] [2]