VMware fixed two vulnerabilities that affect several of its products.
The first vulnerability (CVE-2016-5330) is a DLL hijacking issue in the Windows version of VMware Tools. The flaw can end up exploited to execute arbitrary code on the targeted system.
The vulnerability came to VMware late last year via Yorick Koster, researcher and co-founder of Dutch security firm Securify.
The flaw relates to VMware Host Guest Client Redirector component of VMware Tools. The component sees use in the Shared Folders feature, which allows users to share files between the guest and the host operating system.
The researcher found when a user opens a document from a uniform naming convention (UNC) path, the Client Redirector injects a DLL named “vmhgfs.dll” into the application used to open the file. Since the DLL loaded from a relative path, Windows searched for it using the dynamic-link library search order.
This allowed an attacker to place a malicious DLL in a location from where it could end up loaded before the real file.
For the attack to work, the hacker needed to trick the victim into opening any document from the share containing the malicious DLL file. Koster said an attacker could launch an assault over the Internet if the WebDAV Mini-Redirector ended up enabled.
Koster said VMware addressed the vulnerability by ensuring the DLL loads from an absolute path. The flaw affects VMware vSphere Hypervisor (ESXi), Workstation Player and Pro, and Fusion.
The other issue is a host privilege escalation vulnerability, CVE-2016-2077 affecting Windows versions of VMware Workstation and VMware Player. Because these two programs do not properly reference one of their executables, a local attacker on the host could potentially elevate his privileges.