Vulnerability Spotlight: VMWare VNC Vulnerabilities

Today, Talos is disclosing a pair of vulnerabilities in the VNC implementation used in VMWare’s products that could result in code execution. VMWare implements VNC for its remote management, remote access, and automation purposes in VMWare products including Workstation, Player, and ESXi which share a common VMW VNC code base. The vulnerabilities manifest themselves in a way that would allow an attacker to initiate of VNC session causing the vulnerabilities to be triggered. Talos has coordinated with VMWare to ensure the issue was disclosed responsibly and patched by the vendor. Additionally, Talos has developed Snort signatures that can detect attempts to exploit these vulnerabilities.

These vulnerabilities were identified using the recently released Decept Proxy and Mutiny Fuzzers. By utilizing these tools fuzzing was quickly able to take place by generating VNC traffic, feeding it through the Decept Proxy, and finally fuzzing the resulting .fuzzer file via Mutiny. This all occurs without knowing anything about the VMWare specific protocol extensions. For more details about the Decept Proxy and Mutiny Fuzzers see our recent blog.

Vulnerability Details

Discovered by Lilith Wyatt <(^^)> of Cisco Talos_

TALOS-2017-0368

TALOS-2017-0368/CVE-2017-4933 is a code execution vulnerability residing in the remote management functionality of VMWare. Along with the standard VNC messages that all VNC server are required to support VMWare uses a custom and proprietary VNC extension that implements new VNC features and also reworks some standard ones. This vulnerability lies in one of these new features, VNWDynResolution, specifically in the VMWDynResolution request. This VMWDynResolution request is one of the few requests that causes the VNC server to read in a user-supplied data. The vulnerability resides in the way the VNC server handles this data and results in a heap corruption that can lead to code execution.

For more technical details, please read our advisory here.

TALOS-2017-0369

TALOS-2017-0369/CVE-2017-4941 is a code execution vulnerability residing in the remote management functionality of VMWare. As specified in the RFB protocol all VNC servers have to support a standard set of VNC messages. It is in this set of message that the vulnerability resides. The relevant messages are VncPointerEvent, VncSetPixelFormat, and VncFrameBufferUpdateRequest. This bug involves asking the VNC server to create a frame buffer (i.e. screenshot) in memory, changing the image format of that buffer to non-Truecolor (i.e. palette-based), and then causing a cursor to be re-rendered upon that buffer. As is a type confusion in the image format of the frame buffer and the cursor, it triggers a chain of events that leads to a high value being written into the cursors PNG infoStuct eventually leading to a loop of reads and writes to the stack resulting in an overflow.

For more technical details, please read our advisory here.

Coverage

Talos has developed the following Snort rules to detect attempts to exploit these vulnerabilities. Note that these rules are subject to change pending additional vulnerability information. For the most current information, please visit your Firepower Management Center or Snort.org.

Snort Rules: 43483-43486

For other vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal: <http://www.talosintelligence.com/vulnerability-reports/&gt;

To review our Vulnerability Disclosure Policy, please visit this site:

<http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html&gt;