VMware released updates for the Linux and Windows versions of Workstation to patch privilege escalation and denial-of-service (DoS) vulnerabilities.
One of the flaws, discovered by Jann Horn of Google Project Zero and tracked as CVE-2017-4915, affects VMware Workstation Pro and Player 12.x on Linux. The weakness has been classified as “important” severity.
The security hole, described as an insecure library loading vulnerability, allows an unprivileged host user to escalate their privileges to root on the host via ALSA sound driver configuration files.
The second vulnerability, identified by Borja Merino and tracked as CVE-2017-4916, affects VMware Workstation Pro and Player 12.x on Windows.
This “moderate” severity flaw is a NULL pointer dereference issue that exists in the vstor2 driver. An attacker with regular host user privileges can exploit the vulnerability to cause a DoS condition on the host machine.
The vulnerabilities have been patched with the release of VMware Workstation 12.5.6. There are no workarounds for either of the flaws.