VMware released updates for the Linux and Windows versions of Workstation to patch privilege escalation and denial-of-service (DoS) vulnerabilities.

One of the flaws, discovered by Jann Horn of Google Project Zero and tracked as CVE-2017-4915, affects VMware Workstation Pro and Player 12.x on Linux. The weakness has been classified as “important” severity.

VMware Fixes vCenter Server Hole
VMware Patches Virtual Machine Holes
VMware Mitigates AirWatch Holes
VMware Fixes Info Disclosure Holes

The security hole, described as an insecure library loading vulnerability, allows an unprivileged host user to escalate their privileges to root on the host via ALSA sound driver configuration files.

The second vulnerability, identified by Borja Merino and tracked as CVE-2017-4916, affects VMware Workstation Pro and Player 12.x on Windows.

Schneider Bold

This “moderate” severity flaw is a NULL pointer dereference issue that exists in the vstor2 driver. An attacker with regular host user privileges can exploit the vulnerability to cause a DoS condition on the host machine.

The vulnerabilities have been patched with the release of VMware Workstation 12.5.6. There are no workarounds for either of the flaws.

Pin It on Pinterest

Share This