Search...

VMware WorkStation 12.5.3 - Virtual Machine Escape Exploit

2019-11-25T00:00:00

ID 1337DAY-ID-33584
Type zdt
Reporter unamer
Modified 2019-11-25T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            # VMware Escape Exploit

VMware Escape Exploit before VMware WorkStation 12.5.3

Host Target: Win10 x64

Compiler: VS2013 

Test on VMware 12.5.2 build-4638234

# Known issues

* Failing to heap manipulation causes host process crash. (About 50% successful rate )
* Not quite elaborate because I'm not good at doing heap "fengshui" on winows LFH.

# FAQ

* Q: Error in reboot vmware after crashing process.
* A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up.


![](https://github.com/unamer/vmware_escape/raw/master/CVE-2017-4905_and_uaf/exploit.gif)

# Reference

* https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/

EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47715.zip

#  0day.today [2019-12-04]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-33584", "bulletinFamily": "exploit", "title": "VMware WorkStation 12.5.3 - Virtual Machine Escape Exploit", "description": "Exploit for windows platform in category local exploits", "published": "2019-11-25T00:00:00", "modified": "2019-11-25T00:00:00", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://0day.today/exploit/description/33584", "reporter": "unamer", "references": [], "cvelist": ["CVE-2017-4905"], "type": "zdt", "lastseen": "2019-12-04T18:21:25", "edition": 1, "viewCount": 51, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-4905"]}, {"type": "zdi", "idList": ["ZDI-17-238"]}, {"type": "exploitdb", "idList": ["EDB-ID:47715"]}, {"type": "nessus", "idList": ["VMWARE_WORKSTATION_WIN_VMSA_2017_0006.NASL", "VMWARE_ESXI_6_5_BUILD_5224529_REMOTE.NASL", "VMWARE_ESXI_5_5_BUILD_5230635_REMOTE.NASL", "VMWARE_WORKSTATION_LINUX_VMSA_2017_0006.NASL", "VMWARE_ESXI_6_0_BUILD_5251621_REMOTE.NASL", "MACOSX_FUSION_VMSA_2017_0006.NASL", "VMWARE_VMSA-2017-0006.NASL"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C0C12F043C649BD8F0133FA113860E15"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310140230", "OPENVAS:1361412562310810970", "OPENVAS:1361412562310140231", "OPENVAS:1361412562310810969", "OPENVAS:1361412562310810968"]}, {"type": "vmware", "idList": ["VMSA-2017-0006"]}, {"type": "threatpost", "idList": ["THREATPOST:3D162321CB4C6E332F1149049550639B"]}], "modified": "2019-12-04T18:21:25", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2019-12-04T18:21:25", "rev": 2}, "vulnersScore": 7.5}, "sourceHref": "https://0day.today/exploit/33584", "sourceData": "# VMware Escape Exploit\r\n\r\nVMware Escape Exploit before VMware WorkStation 12.5.3\r\n\r\nHost Target: Win10 x64\r\n\r\nCompiler: VS2013 \r\n\r\nTest on VMware 12.5.2 build-4638234\r\n\r\n# Known issues\r\n\r\n* Failing to heap manipulation causes host process crash. (About 50% successful rate )\r\n* Not quite elaborate because I'm not good at doing heap \"fengshui\" on winows LFH.\r\n\r\n# FAQ\r\n\r\n* Q: Error in reboot vmware after crashing process.\r\n* A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up.\r\n\r\n\r\n![](https://github.com/unamer/vmware_escape/raw/master/CVE-2017-4905_and_uaf/exploit.gif)\r\n\r\n# Reference\r\n\r\n* https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/\r\n\r\nEDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47715.zip\n\n# 0day.today [2019-12-04] #"}

{"cve": [{"lastseen": "2020-10-03T13:07:44", "description": "VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi600-201703403-SG, 6.0 U1 without patch ESXi600-201703402-SG, 5.5 without patch ESXi550-201703401-SG; Workstation Pro / Player 12.x prior to 12.5.5; and Fusion Pro / Fusion 8.x prior to 8.5.6 have uninitialized memory usage. This issue may lead to an information leak.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-06-07T18:29:00", "title": "CVE-2017-4905", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-4905"], "modified": "2017-07-12T01:29:00", "cpe": ["cpe:/a:vmware:fusion:8.0.0", "cpe:/a:vmware:workstation_player:12.0.0", "cpe:/a:vmware:fusion:8.5.1", "cpe:/a:vmware:workstation_pro:12.5.1", "cpe:/a:vmware:workstation_pro:12.0.1", "cpe:/a:vmware:workstation_player:12.5.3", "cpe:/a:vmware:workstation_player:12.5.2", "cpe:/a:vmware:fusion:8.5.3", "cpe:/a:vmware:fusion:8.5.4", "cpe:/a:vmware:workstation_pro:12.0.0", "cpe:/a:vmware:workstation_pro:12.5.2", "cpe:/o:vmware:esxi:6.5", "cpe:/o:vmware:esxi:6.0", "cpe:/a:vmware:workstation_pro:12.5.0", "cpe:/a:vmware:workstation_player:12.1.0", "cpe:/a:vmware:fusion:8.5.0", "cpe:/a:vmware:workstation_player:12.1.1", "cpe:/a:vmware:workstation_player:12.5.0", "cpe:/a:vmware:fusion:8.0.2", "cpe:/a:vmware:fusion:8.1.1", "cpe:/a:vmware:workstation_player:12.5.4", "cpe:/o:vmware:esxi:5.5", "cpe:/a:vmware:fusion:8.5.5", "cpe:/a:vmware:workstation_pro:12.5.3", "cpe:/a:vmware:workstation_pro:12.1.1", "cpe:/a:vmware:workstation_pro:12.5.4", "cpe:/a:vmware:fusion:8.5.2", "cpe:/a:vmware:fusion:8.0.1", "cpe:/a:vmware:workstation_pro:12.1.0", "cpe:/a:vmware:fusion:8.1.0", "cpe:/a:vmware:workstation_player:12.5.1", "cpe:/a:vmware:workstation_player:12.0.1"], "id": "CVE-2017-4905", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-4905", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:vmware:workstation_pro:12.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_player:12.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_player:12.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.5.2:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:u3:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_pro:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_player:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.5.1:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:u2:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_player:12.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_player:12.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_player:12.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_pro:12.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:u1:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:5.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_pro:12.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_pro:12.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_pro:12.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_pro:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_player:12.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_pro:12.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_player:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_pro:12.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_player:12.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.0.1:*:*:*:*:*:*:*"]}], "zdi": [{"lastseen": "2020-06-22T11:42:18", "bulletinFamily": "info", "cvelist": ["CVE-2017-4905"], "edition": 2, "description": "This vulnerability allows local attackers to disclose sensitive information on vulnerable installations of VMware Workstation. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of the Backdoor communications channel. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the hypervisor.", "modified": "2017-06-22T00:00:00", "published": "2017-03-30T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-17-238/", "id": "ZDI-17-238", "type": "zdi", "title": "(Pwn2Own) VMware Workstation Uninitialized Memory Information Disclosure Vulnerability", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2019-11-25T14:34:44", "description": "", "published": "2019-06-06T00:00:00", "type": "exploitdb", "title": "VMware WorkStation 12.5.3 - Virtual Machine Escape", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-4905"], "modified": "2019-06-06T00:00:00", "id": "EDB-ID:47715", "href": "https://www.exploit-db.com/exploits/47715", "sourceData": "# VMware Escape Exploit\r\n\r\nVMware Escape Exploit before VMware WorkStation 12.5.3\r\n\r\nHost Target: Win10 x64\r\n\r\nCompiler: VS2013 \r\n\r\nTest on VMware 12.5.2 build-4638234\r\n\r\n# Known issues\r\n\r\n* Failing to heap manipulation causes host process crash. (About 50% successful rate )\r\n* Not quite elaborate because I'm not good at doing heap \"fengshui\" on winows LFH.\r\n\r\n# FAQ\r\n\r\n* Q: Error in reboot vmware after crashing process.\r\n* A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up.\r\n\r\n\r\n![](https://github.com/unamer/vmware_escape/raw/master/CVE-2017-4905_and_uaf/exploit.gif)\r\n\r\n# Reference\r\n\r\n* https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/\r\n\r\nEDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47715.zip", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://www.exploit-db.com/download/47715"}], "exploitpack": [{"lastseen": "2020-04-01T20:40:47", "description": "\nVMware WorkStation 12.5.3 - Virtual Machine Escape", "edition": 1, "published": "2019-06-06T00:00:00", "title": "VMware WorkStation 12.5.3 - Virtual Machine Escape", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-4901", "CVE-2017-4905"], "modified": "2019-06-06T00:00:00", "id": "EXPLOITPACK:C0C12F043C649BD8F0133FA113860E15", "href": "", "sourceData": "# VMware Escape Exploit\n\nVMware Escape Exploit before VMware WorkStation 12.5.3\n\nHost Target: Win10 x64\n\nCompiler: VS2013 \n\nTest on VMware 12.5.2 build-4638234\n\n# Known issues\n\n* Failing to heap manipulation causes host process crash. (About 50% successful rate )\n* Not quite elaborate because I'm not good at doing heap \"fengshui\" on winows LFH.\n\n# FAQ\n\n* Q: Error in reboot vmware after crashing process.\n* A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up.\n\n\n![](https://github.com/unamer/vmware_escape/raw/master/CVE-2017-4905_and_uaf/exploit.gif)\n\n# Reference\n\n* https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/\n\nEDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47715.zip", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-01T06:59:58", "description": "The version of the remote VMware ESXi 5.5 host is prior to build\n5230635. It is, therefore, affected by multiple vulnerabilities :\n\n - An unspecified flaw exists in memory initialization that\n allows an attacker on the guest to execute arbitrary\n code on the host. (CVE-2017-4904)\n\n - An unspecified flaw exists in memory initialization that\n allows the disclosure of sensitive information.\n (CVE-2017-4905)", "edition": 28, "cvss3": {"score": 8.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-31T00:00:00", "title": "ESXi 5.5 < Build 5230635 Multiple Vulnerabilities (VMSA-2017-0006) (remote check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4904", "CVE-2017-4905"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:vmware:esxi:5.5"], "id": "VMWARE_ESXI_5_5_BUILD_5230635_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/99129", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99129);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-4904\", \"CVE-2017-4905\");\n script_bugtraq_id(97164, 97165);\n script_xref(name:\"VMSA\", value:\"2017-0006\");\n\n script_name(english:\"ESXi 5.5 < Build 5230635 Multiple Vulnerabilities (VMSA-2017-0006) (remote check)\");\n script_summary(english:\"Checks the ESXi version and build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote VMware ESXi 5.5 host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the remote VMware ESXi 5.5 host is prior to build\n5230635. It is, therefore, affected by multiple vulnerabilities :\n\n - An unspecified flaw exists in memory initialization that\n allows an attacker on the guest to execute arbitrary\n code on the host. (CVE-2017-4904)\n\n - An unspecified flaw exists in memory initialization that\n allows the disclosure of sensitive information.\n (CVE-2017-4905)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0006.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply patch ESXi550-201703401-SG according to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-4904\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:5.5\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vsphere_detect.nbin\");\n script_require_keys(\"Host/VMware/version\", \"Host/VMware/release\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nver = get_kb_item_or_exit(\"Host/VMware/version\");\nrel = get_kb_item_or_exit(\"Host/VMware/release\");\n\nif (\"ESXi\" >!< rel) audit(AUDIT_OS_NOT, \"ESXi\");\nif (\"VMware ESXi 5.5\" >!< rel) audit(AUDIT_OS_NOT, \"ESXi 5.5\");\n\nmatch = eregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel);\nif (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, \"VMware ESXi\", \"5.5\");\n\nbuild = int(match[1]);\nfixed_build = 5230635;\n\nif (build < fixed_build)\n{\n report = '\\n ESXi version : ' + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"VMware ESXi\", ver - \"ESXi \" + \" build \" + build);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T06:59:58", "description": "The version of the remote VMware ESXi 6.0 host is 6.0 U1 prior to\nbuild 5251621, 6.0 U2 prior to build 5251623, or 6.0 U3 prior to build\n5224934. It is, therefore, affected by multiple vulnerabilities :\n\n - A stack memory initialization flaw exists that allows an\n attacker on the guest to execute arbitrary code on the\n host. (CVE-2017-4903)\n\n - An unspecified flaw exists in memory initialization that\n allows an attacker on the guest to execute arbitrary\n code on the host. (CVE-2017-4904)\n\n - An unspecified flaw exists in memory initialization that\n allows the disclosure of sensitive information.\n (CVE-2017-4905)", "edition": 28, "cvss3": {"score": 8.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-31T00:00:00", "title": "ESXi 6.0 U1 < Build 5251621 / 6.0 U2 < Build 5251623 / 6.0 U3 < Build 5224934 Multiple Vulnerabilities (VMSA-2017-0006) (remote check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:vmware:esxi:6.0"], "id": "VMWARE_ESXI_6_0_BUILD_5251621_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/99130", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99130);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-4903\", \"CVE-2017-4904\", \"CVE-2017-4905\");\n script_bugtraq_id(97160, 97164, 97165);\n script_xref(name:\"VMSA\", value:\"2017-0006\");\n\n script_name(english:\"ESXi 6.0 U1 < Build 5251621 / 6.0 U2 < Build 5251623 / 6.0 U3 < Build 5224934 Multiple Vulnerabilities (VMSA-2017-0006) (remote check)\");\n script_summary(english:\"Checks the ESXi version and build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote VMware ESXi 6.0 host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the remote VMware ESXi 6.0 host is 6.0 U1 prior to\nbuild 5251621, 6.0 U2 prior to build 5251623, or 6.0 U3 prior to build\n5224934. It is, therefore, affected by multiple vulnerabilities :\n\n - A stack memory initialization flaw exists that allows an\n attacker on the guest to execute arbitrary code on the\n host. (CVE-2017-4903)\n\n - An unspecified flaw exists in memory initialization that\n allows an attacker on the guest to execute arbitrary\n code on the host. (CVE-2017-4904)\n\n - An unspecified flaw exists in memory initialization that\n allows the disclosure of sensitive information.\n (CVE-2017-4905)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0006.html\");\n # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2149672\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?29e8975b\");\n # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2149673\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0ac633b1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply patch ESXi600-201703401-SG, ESXi600-201703002, or\nESXi600-201703003 according to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-4904\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:6.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vsphere_detect.nbin\");\n script_require_keys(\"Host/VMware/version\", \"Host/VMware/release\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nver = get_kb_item_or_exit(\"Host/VMware/version\");\nrel = get_kb_item_or_exit(\"Host/VMware/release\");\n\nif (\"ESXi\" >!< rel) audit(AUDIT_OS_NOT, \"ESXi\");\nif (\"VMware ESXi 6.0\" >!< rel) audit(AUDIT_OS_NOT, \"ESXi 6.0\");\n\nmatch = eregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel);\nif (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, \"VMware ESXi\", \"6.0\");\n\nbuild = int(match[1]);\nvuln = FALSE;\n\n# 6.0 U1 Builds\n# KB 2149672\nu1_builds = make_list(3029758, 3073146, 3247720, 3380124, 3568940);\nforeach u1_build (u1_builds)\n{\n if (build == u1_build)\n {\n vuln = TRUE;\n fixed_build = 5251621;\n }\n}\n\n# 6.0 U2 Builds\n# KB 2149673\nu1_builds = make_list(3620759, 3825889, 4192238, 4510822, 4600944);\nforeach u1_build (u1_builds)\n{\n if (build == u1_build)\n {\n vuln = TRUE;\n fixed_build = 5251623;\n }\n}\n\n# 6.0 U3\n# KB 2143832 lists 5050593 as the build for 6.0 U3 released on 2/24/17\nif (!vuln)\n{\n if (build >= 5050593 && build < 5224934)\n {\n vuln = TRUE;\n fixed_build = 5224934;\n }\n}\n\nif (vuln)\n{\n report = '\\n ESXi version : ' + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"VMware ESXi\", ver - \"ESXi \" + \" build \" + build);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-04T06:22:55", "description": "The version of the remote VMware ESXi 6.5 host is prior to build\n5224529. It is, therefore, affected by multiple vulnerabilities :\n\n - A stack memory initialization flaw exists that allows an\n attacker on the guest to execute arbitrary code on the\n host. (CVE-2017-4903)\n\n - An unspecified flaw exists in memory initialization that\n allows an attacker on the guest to execute arbitrary\n code on the host. (CVE-2017-4904)\n\n - An unspecified flaw exists in memory initialization that\n allows the disclosure of sensitive information.\n (CVE-2017-4905)", "edition": 24, "cvss3": {"score": 8.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-31T00:00:00", "title": "ESXi 6.5 < Build 5224529 Multiple Vulnerabilities (VMSA-2017-0006) (remote check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905"], "modified": "2017-03-31T00:00:00", "cpe": ["x-cpe:/o:vmware:esxi:6.5"], "id": "VMWARE_ESXI_6_5_BUILD_5224529_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/99131", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99131);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/02\");\n\n script_cve_id(\"CVE-2017-4903\", \"CVE-2017-4904\", \"CVE-2017-4905\");\n script_bugtraq_id(97160, 97164, 97165);\n script_xref(name:\"VMSA\", value:\"2017-0006\");\n\n script_name(english:\"ESXi 6.5 < Build 5224529 Multiple Vulnerabilities (VMSA-2017-0006) (remote check)\");\n script_summary(english:\"Checks the ESXi version and build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote VMware ESXi 6.5 host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the remote VMware ESXi 6.5 host is prior to build\n5224529. It is, therefore, affected by multiple vulnerabilities :\n\n - A stack memory initialization flaw exists that allows an\n attacker on the guest to execute arbitrary code on the\n host. (CVE-2017-4903)\n\n - An unspecified flaw exists in memory initialization that\n allows an attacker on the guest to execute arbitrary\n code on the host. (CVE-2017-4904)\n\n - An unspecified flaw exists in memory initialization that\n allows the disclosure of sensitive information.\n (CVE-2017-4905)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0006.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply patch ESXi650-201703410-SG according to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-4904\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:vmware:esxi:6.5\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vsphere_detect.nbin\");\n script_require_keys(\"Host/VMware/version\", \"Host/VMware/release\", \"Host/VMware/vsphere\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nver = get_kb_item_or_exit(\"Host/VMware/version\");\nrel = get_kb_item_or_exit(\"Host/VMware/release\");\nport = get_kb_item_or_exit(\"Host/VMware/vsphere\");\n\nif (\"ESXi\" >!< rel) audit(AUDIT_OS_NOT, \"ESXi\");\nif (\"VMware ESXi 6.5\" >!< rel) audit(AUDIT_OS_NOT, \"ESXi 6.5\");\n\nmatch = pregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel);\nif (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, \"VMware ESXi\", \"6.5\");\n\nbuild = int(match[1]);\nfixed_build = 5224529;\n\nif (build < fixed_build)\n{\n report = '\\n ESXi version : ' + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"VMware ESXi\", ver - \"ESXi \" + \" build \" + build);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-22T10:55:14", "description": "The version of VMware Workstation installed on the remote Linux host\nis 12.x prior to 12.5.5. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A heap buffer overflow condition exists due to improper\n validation of certain input. An attacker on the guest\n can exploit this to cause a denial of service condition\n or the execution of arbitrary code on the host.\n (CVE-2017-4902)\n\n - A stack memory initialization flaw exists that allows an\n attacker on the guest to execute arbitrary code on the\n host. (CVE-2017-4903)\n\n - An unspecified flaw exists in memory initialization that\n allows an attacker on the guest to execute arbitrary\n code on the host. (CVE-2017-4904)\n\n - An unspecified flaw exists in memory initialization that\n allows the disclosure of sensitive information.\n (CVE-2017-4905)", "edition": 26, "cvss3": {"score": 8.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-30T00:00:00", "title": "VMware Workstation 12.x < 12.5.5 Multiple Vulnerabilities (VMSA-2017-0006) (Linux)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905", "CVE-2017-4902"], "modified": "2017-03-30T00:00:00", "cpe": ["cpe:/a:vmware:workstation"], "id": "VMWARE_WORKSTATION_LINUX_VMSA_2017_0006.NASL", "href": "https://www.tenable.com/plugins/nessus/99104", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99104);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/21\");\n\n script_cve_id(\n \"CVE-2017-4902\",\n \"CVE-2017-4903\",\n \"CVE-2017-4904\",\n \"CVE-2017-4905\"\n );\n script_bugtraq_id(\n 97160,\n 97163,\n 97164,\n 97165\n );\n script_xref(name:\"VMSA\", value:\"2017-0006\");\n\n script_name(english:\"VMware Workstation 12.x < 12.5.5 Multiple Vulnerabilities (VMSA-2017-0006) (Linux)\");\n script_summary(english:\"Checks the VMware Workstation version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote Linux host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Workstation installed on the remote Linux host\nis 12.x prior to 12.5.5. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A heap buffer overflow condition exists due to improper\n validation of certain input. An attacker on the guest\n can exploit this to cause a denial of service condition\n or the execution of arbitrary code on the host.\n (CVE-2017-4902)\n\n - A stack memory initialization flaw exists that allows an\n attacker on the guest to execute arbitrary code on the\n host. (CVE-2017-4903)\n\n - An unspecified flaw exists in memory initialization that\n allows an attacker on the guest to execute arbitrary\n code on the host. (CVE-2017-4904)\n\n - An unspecified flaw exists in memory initialization that\n allows the disclosure of sensitive information.\n (CVE-2017-4905)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0006.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Workstation version 12.5.5 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-4904\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/30\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workstation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workstation_linux_installed.nbin\");\n script_require_keys(\"Host/VMware Workstation/Version\", \"Settings/ParanoidReport\");\n script_exclude_keys(\"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nif (get_kb_item(\"SMB/Registry/Enumerated\")) audit(AUDIT_OS_NOT, \"Linux\", \"Windows\");\n\nversion = get_kb_item_or_exit(\"Host/VMware Workstation/Version\");\n\nfix = '';\nif (version =~ \"^12\\.\") fix = '12.5.5';\n\nif (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n report +=\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"VMware Workstation\", version);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T07:00:24", "description": "The version of VMware Workstation installed on the remote Windows host\nis 12.x prior to 12.5.5. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A heap buffer overflow condition exists due to improper\n validation of certain input. An attacker on the guest\n can exploit this to cause a denial of service condition\n or the execution of arbitrary code on the host.\n (CVE-2017-4902)\n\n - A stack memory initialization flaw exists that allows an\n attacker on the guest to execute arbitrary code on the\n host. (CVE-2017-4903)\n\n - An unspecified flaw exists in memory initialization that\n allows an attacker on the guest to execute arbitrary\n code on the host. (CVE-2017-4904)\n\n - An unspecified flaw exists in memory initialization that\n allows the disclosure of sensitive information.\n (CVE-2017-4905)", "edition": 29, "cvss3": {"score": 8.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-30T00:00:00", "title": "VMware Workstation 12.x < 12.5.5 Multiple Vulnerabilities (VMSA-2017-0006)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905", "CVE-2017-4902"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:vmware:workstation"], "id": "VMWARE_WORKSTATION_WIN_VMSA_2017_0006.NASL", "href": "https://www.tenable.com/plugins/nessus/99105", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99105);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-4902\",\n \"CVE-2017-4903\",\n \"CVE-2017-4904\",\n \"CVE-2017-4905\"\n );\n script_bugtraq_id(\n 97160,\n 97163,\n 97164,\n 97165\n );\n script_xref(name:\"VMSA\", value:\"2017-0006\");\n\n script_name(english:\"VMware Workstation 12.x < 12.5.5 Multiple Vulnerabilities (VMSA-2017-0006)\");\n script_summary(english:\"Checks the VMware Workstation version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote Windows host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Workstation installed on the remote Windows host\nis 12.x prior to 12.5.5. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A heap buffer overflow condition exists due to improper\n validation of certain input. An attacker on the guest\n can exploit this to cause a denial of service condition\n or the execution of arbitrary code on the host.\n (CVE-2017-4902)\n\n - A stack memory initialization flaw exists that allows an\n attacker on the guest to execute arbitrary code on the\n host. (CVE-2017-4903)\n\n - An unspecified flaw exists in memory initialization that\n allows an attacker on the guest to execute arbitrary\n code on the host. (CVE-2017-4904)\n\n - An unspecified flaw exists in memory initialization that\n allows the disclosure of sensitive information.\n (CVE-2017-4905)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0006.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Workstation version 12.5.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-4904\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/30\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workstation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workstation_detect.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/VMware Workstation\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\nappname = 'VMware Workstation';\n\ninstall = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE);\nversion = install['version'];\npath = install['path'];\n\nfix = '';\nif (version =~ \"^12\\.\") fix = \"12.5.5\";\n\nif (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix + '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T03:30:03", "description": "The version of VMware Fusion installed on the remote macOS or Mac OS X\nhost is 8.x prior to 8.5.6. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A heap buffer overflow condition exists due to improper\n validation of certain input. An attacker on the guest\n can exploit this to cause a denial of service condition\n or the execution of arbitrary code on the host.\n (CVE-2017-4902)\n\n - A stack memory initialization flaw exists that allows an\n attacker on the guest to execute arbitrary code on the\n host. (CVE-2017-4903)\n\n - An unspecified flaw exists in memory initialization that\n allows an attacker on the guest to execute arbitrary\n code on the host. (CVE-2017-4904)\n\n - An unspecified flaw exists in memory initialization that\n allows the disclosure of sensitive information.\n (CVE-2017-4905)", "edition": 29, "cvss3": {"score": 8.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-30T00:00:00", "title": "VMware Fusion 8.x < 8.5.6 Multiple Vulnerabilities (VMSA-2017-0006) (macOS)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905", "CVE-2017-4902"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:vmware:fusion"], "id": "MACOSX_FUSION_VMSA_2017_0006.NASL", "href": "https://www.tenable.com/plugins/nessus/99103", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99103);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-4902\",\n \"CVE-2017-4903\",\n \"CVE-2017-4904\",\n \"CVE-2017-4905\"\n );\n script_bugtraq_id(\n 97160,\n 97163,\n 97164,\n 97165\n );\n script_xref(name:\"VMSA\", value:\"2017-0006\");\n\n script_name(english:\"VMware Fusion 8.x < 8.5.6 Multiple Vulnerabilities (VMSA-2017-0006) (macOS)\");\n script_summary(english:\"Checks the VMware Fusion version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote macOS or Mac OS X\nhost is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Fusion installed on the remote macOS or Mac OS X\nhost is 8.x prior to 8.5.6. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A heap buffer overflow condition exists due to improper\n validation of certain input. An attacker on the guest\n can exploit this to cause a denial of service condition\n or the execution of arbitrary code on the host.\n (CVE-2017-4902)\n\n - A stack memory initialization flaw exists that allows an\n attacker on the guest to execute arbitrary code on the\n host. (CVE-2017-4903)\n\n - An unspecified flaw exists in memory initialization that\n allows an attacker on the guest to execute arbitrary\n code on the host. (CVE-2017-4904)\n\n - An unspecified flaw exists in memory initialization that\n allows the disclosure of sensitive information.\n (CVE-2017-4905)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0006.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Fusion version 8.5.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-4904\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/30\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:fusion\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_fusion_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"installed_sw/VMware Fusion\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\ninstall = get_single_install(app_name:\"VMware Fusion\", exit_if_unknown_ver:TRUE);\nversion = install['version'];\npath = install['path'];\n\nfix = '';\nif (version =~ \"^8\\.\") fix = '8.5.6';\n\nif (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"VMware Fusion\", version, path);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T15:21:40", "description": "a. ESXi, Workstation, Fusion SVGA memory corruption\n\nESXi, Workstation, Fusion have a heap buffer overflow and\nuninitialized stack memory usage in SVGA. These issues may allow\na guest to execute code on the host.\n\nVMware would like to thank ZDI and Team 360 Security from Qihoo for\nreporting these issues to us.\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the identifiers CVE-2017-4902 (heap issue) and\nCVE-2017-4903 (stack issue) to these issues.\n\nNote: ESXi 6.0 is affected by CVE-2017-4903 but not by CVE-2017-4902.\n\nb. ESXi, Workstation, Fusion XHCI uninitialized memory usage\n\nThe ESXi, Workstation, and Fusion XHCI controller has uninitialized\nmemory usage. This issue may allow a guest to execute code on\nthe host. The issue is reduced to a Denial of Service of the guest\non ESXi 5.5.\n\nVMware would like to thank ZDI and Team Sniper from Tencent Security\nfor reporting this issue to us.\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the identifier CVE-2017-4904 to this issue.\n\nc. ESXi, Workstation, Fusion uninitialized memory usage\n\nESXi, Workstation, and Fusion have uninitialized memory usage. This\nissue may lead to an information leak.\n\nVMware would like to thank ZDI and Team Sniper from Tencent Security\nfor reporting this issue to us.\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the identifier CVE-2017-4905 to this issue.", "edition": 40, "cvss3": {"score": 8.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-30T00:00:00", "title": "VMSA-2017-0006 : VMware ESXi, Workstation and Fusion updates address critical and moderate security issues", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905", "CVE-2017-4902"], "modified": "2017-03-30T00:00:00", "cpe": ["cpe:/o:vmware:esxi:6.5", "cpe:/o:vmware:esxi:6.0"], "id": "VMWARE_VMSA-2017-0006.NASL", "href": "https://www.tenable.com/plugins/nessus/99102", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from VMware Security Advisory 2017-0006. \n# The text itself is copyright (C) VMware Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99102);\n script_version(\"3.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-4902\", \"CVE-2017-4903\", \"CVE-2017-4904\", \"CVE-2017-4905\");\n script_xref(name:\"VMSA\", value:\"2017-0006\");\n\n script_name(english:\"VMSA-2017-0006 : VMware ESXi, Workstation and Fusion updates address critical and moderate security issues\");\n script_summary(english:\"Checks esxupdate output for the patches\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote VMware ESXi host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"a. ESXi, Workstation, Fusion SVGA memory corruption\n\nESXi, Workstation, Fusion have a heap buffer overflow and\nuninitialized stack memory usage in SVGA. These issues may allow\na guest to execute code on the host.\n\nVMware would like to thank ZDI and Team 360 Security from Qihoo for\nreporting these issues to us.\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the identifiers CVE-2017-4902 (heap issue) and\nCVE-2017-4903 (stack issue) to these issues.\n\nNote: ESXi 6.0 is affected by CVE-2017-4903 but not by CVE-2017-4902.\n\nb. ESXi, Workstation, Fusion XHCI uninitialized memory usage\n\nThe ESXi, Workstation, and Fusion XHCI controller has uninitialized\nmemory usage. This issue may allow a guest to execute code on\nthe host. The issue is reduced to a Denial of Service of the guest\non ESXi 5.5.\n\nVMware would like to thank ZDI and Team Sniper from Tencent Security\nfor reporting this issue to us.\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the identifier CVE-2017-4904 to this issue.\n\nc. ESXi, Workstation, Fusion uninitialized memory usage\n\nESXi, Workstation, and Fusion have uninitialized memory usage. This\nissue may lead to an information leak.\n\nVMware would like to thank ZDI and Team Sniper from Tencent Security\nfor reporting this issue to us.\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the identifier CVE-2017-4905 to this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.vmware.com/pipermail/security-announce/2017/000373.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply the missing patches.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:6.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"VMware ESX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/VMware/release\", \"Host/VMware/version\");\n script_require_ports(\"Host/VMware/esxupdate\", \"Host/VMware/esxcli_software_vibs\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"vmware_esx_packages.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/VMware/release\")) audit(AUDIT_OS_NOT, \"VMware ESX / ESXi\");\nif (\n !get_kb_item(\"Host/VMware/esxcli_software_vibs\") &&\n !get_kb_item(\"Host/VMware/esxupdate\")\n) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ninit_esx_check(date:\"2017-03-28\");\nflag = 0;\n\n\nif (esx_check(ver:\"ESXi 6.0\", vib:\"VMware:esx-base:6.0.0-3.58.5224934\")) flag++;\nif (esx_check(ver:\"ESXi 6.0\", vib:\"VMware:vsan:6.0.0-3.58.5224737\")) flag++;\nif (esx_check(ver:\"ESXi 6.0\", vib:\"VMware:vsanhealth:6.0.0-3000000.3.0.3.58.5224738\")) flag++;\n\nif (esx_check(ver:\"ESXi 6.5\", vib:\"VMware:esx-base:6.5.0-0.15.5224529\")) flag++;\nif (esx_check(ver:\"ESXi 6.5\", vib:\"VMware:vsan:6.5.0-0.15.5224529\")) flag++;\nif (esx_check(ver:\"ESXi 6.5\", vib:\"VMware:vsanhealth:6.5.0-0.15.5224529\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-07-17T14:20:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905", "CVE-2017-4902"], "description": "The host is installed with VMware\n Workstation and is prone to information disclosure and multiple code\n execution vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2017-07-03T00:00:00", "id": "OPENVAS:1361412562310810970", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810970", "type": "openvas", "title": "VMware Workstation Code Execution And Information Disclosure Vulnerabilities (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMware Workstation Code Execution And Information Disclosure Vulnerabilities (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:workstation\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810970\");\n script_version(\"2019-07-05T09:29:25+0000\");\n script_cve_id(\"CVE-2017-4902\", \"CVE-2017-4903\", \"CVE-2017-4904\", \"CVE-2017-4905\");\n script_bugtraq_id(97163, 97160, 97165, 97164);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:29:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-07-03 15:15:42 +0530 (Mon, 03 Jul 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"VMware Workstation Code Execution And Information Disclosure Vulnerabilities (Linux)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMware\n Workstation and is prone to information disclosure and multiple code\n execution vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - A heap buffer overflow and uninitialized stack memory usage in SVGA.\n\n - An uninitialized memory usage in XHCI controller.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a\n guest to execute code on the host and may also lead to information leak.\");\n\n script_tag(name:\"affected\", value:\"VMware Workstation 12.x before 12.5.5 on\n Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Workstation version\n 12.5.5 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0006.html\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"VMware/Workstation/Linux/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^12\\.\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"12.5.5\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"12.5.5\");\n security_message(data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:21:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905", "CVE-2017-4902"], "description": "The host is installed with VMware Fusion\n and is prone to information disclosure and multiple code execution\n vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2017-07-03T00:00:00", "id": "OPENVAS:1361412562310810968", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810968", "type": "openvas", "title": "VMware Fusion Code Execution And Information Disclosure Vulnerabilities (Mac OS X)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMware Fusion Code Execution And Information Disclosure Vulnerabilities (Mac OS X)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:fusion\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810968\");\n script_version(\"2019-07-05T09:29:25+0000\");\n script_cve_id(\"CVE-2017-4902\", \"CVE-2017-4903\", \"CVE-2017-4904\", \"CVE-2017-4905\");\n script_bugtraq_id(97163, 97160, 97165, 97164);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:29:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-07-03 15:15:42 +0530 (Mon, 03 Jul 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"VMware Fusion Code Execution And Information Disclosure Vulnerabilities (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMware Fusion\n and is prone to information disclosure and multiple code execution\n vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - A heap buffer overflow and uninitialized stack memory usage in SVGA.\n\n - An uninitialized memory usage in XHCI controller.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a\n guest to execute code on the host and may also lead to information leak.\");\n\n script_tag(name:\"affected\", value:\"VMware Fusion 8.x before 8.5.6 on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Fusion version 8.5.6 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0006.html\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_vmware_fusion_detect_macosx.nasl\");\n script_mandatory_keys(\"VMware/Fusion/MacOSX/Version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^8\\.\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"8.5.6\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"8.5.6\");\n security_message(data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:20:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905", "CVE-2017-4902"], "description": "The host is installed with VMware Workstation\n and is prone to information disclosure and multiple code execution\n vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2017-07-03T00:00:00", "id": "OPENVAS:1361412562310810969", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810969", "type": "openvas", "title": "VMware Workstation Code Execution And Information Disclosure Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMware Workstation Code Execution And Information Disclosure Vulnerabilities (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:workstation\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810969\");\n script_version(\"2019-07-05T09:29:25+0000\");\n script_cve_id(\"CVE-2017-4902\", \"CVE-2017-4903\", \"CVE-2017-4904\", \"CVE-2017-4905\");\n script_bugtraq_id(97163, 97160, 97165, 97164);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:29:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-07-03 15:15:42 +0530 (Mon, 03 Jul 2017)\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_name(\"VMware Workstation Code Execution And Information Disclosure Vulnerabilities (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMware Workstation\n and is prone to information disclosure and multiple code execution\n vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - A heap buffer overflow and uninitialized stack memory usage in SVGA.\n\n - An uninitialized memory usage in XHCI controller.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a\n guest to execute code on the host and may also lead to information leak.\");\n\n script_tag(name:\"affected\", value:\"VMware Workstation 12.x before 12.5.5 on\n Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Workstation version\n 12.5.5 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0006.html\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_win.nasl\");\n script_mandatory_keys(\"VMware/Workstation/Installed\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^12\\.\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"12.5.5\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"12.5.5\");\n security_message(data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-19T15:53:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905", "CVE-2017-4902"], "description": "VMware ESXi updates address critical and moderate\n security issues.", "modified": "2019-12-18T00:00:00", "published": "2017-03-31T00:00:00", "id": "OPENVAS:1361412562310140230", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140230", "type": "openvas", "title": "VMware ESXi updates address critical and moderate security issues (VMSA-2017-0006)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMSA-2017-0006: VMware ESXi updates address critical and moderate security issues\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140230\");\n script_cve_id(\"CVE-2017-4902\", \"CVE-2017-4903\", \"CVE-2017-4904\", \"CVE-2017-4905\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2019-12-18T11:13:08+0000\");\n script_name(\"VMware ESXi updates address critical and moderate security issues (VMSA-2017-0006)\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2017-0006.html\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if the target host is missing one or more patch(es).\");\n\n script_tag(name:\"solution\", value:\"Apply the missing patch(es).\");\n\n script_tag(name:\"summary\", value:\"VMware ESXi updates address critical and moderate\n security issues.\");\n\n script_tag(name:\"insight\", value:\"ESXi has a heap buffer overflow and uninitialized stack memory usage in SVGA.\n These issues may allow a guest to execute code on the host.\");\n\n script_tag(name:\"last_modification\", value:\"2019-12-18 11:13:08 +0000 (Wed, 18 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-31 10:40:50 +0200 (Fri, 31 Mar 2017)\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_esxi_init.nasl\");\n script_mandatory_keys(\"VMware/ESXi/LSC\", \"VMware/ESX/version\");\n\n exit(0);\n}\n\ninclude(\"vmware_esx.inc\");\ninclude(\"version_func.inc\");\n\nif(!get_kb_item(\"VMware/ESXi/LSC\"))\n exit(0);\n\nif(!esxVersion = get_kb_item(\"VMware/ESX/version\"))\n exit(0);\n\npatches = make_array(\"6.0.0\", \"VIB:esx-base:6.0.0-3.58.5224934\",\n \"6.5.0\", \"VIB:esx-base:6.5.0-0.15.5224529\");\n\nif(!patches[esxVersion])\n exit(99);\n\nif(report = esxi_patch_missing(esxi_version:esxVersion, patch:patches[esxVersion])) {\n security_message(port:0, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905", "CVE-2017-4902"], "description": "VMware ESXi, Workstation and Fusion updates address critical and moderate\nsecurity issues.\n\nESXi has a heap buffer overflow and uninitialized stack memory usage in SVGA. These issues may allow a guest to execute code on the host.", "modified": "2018-10-12T00:00:00", "published": "2017-03-31T00:00:00", "id": "OPENVAS:1361412562310140231", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140231", "type": "openvas", "title": "VMSA-2017-0006: VMware ESXi updates address critical and moderate security issues (remote check)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_VMSA-2017-0006_remote.nasl 11863 2018-10-12 09:42:02Z mmartin $\n#\n# VMSA-2017-0006: VMware ESXi updates address critical and moderate security issues (remote check)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140231\");\n script_cve_id(\"CVE-2017-4902\", \"CVE-2017-4903\", \"CVE-2017-4904\", \"CVE-2017-4905\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 11863 $\");\n\n script_name(\"VMSA-2017-0006: VMware ESXi updates address critical and moderate security issues (remote check)\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2017-0006.html\");\n script_tag(name:\"vuldetect\", value:\"Check the build number\");\n\n script_tag(name:\"solution\", value:\"Apply the missing patch(es).\");\n\n script_tag(name:\"summary\", value:\"VMware ESXi, Workstation and Fusion updates address critical and moderate\nsecurity issues.\n\nESXi has a heap buffer overflow and uninitialized stack memory usage in SVGA. These issues may allow a guest to execute code on the host.\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 11:42:02 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-31 10:54:50 +0200 (Fri, 31 Mar 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_esx_web_detect.nasl\");\n script_mandatory_keys(\"VMware/ESX/build\", \"VMware/ESX/version\");\n\n exit(0);\n\n}\n\ninclude(\"vmware_esx.inc\");\n\nif( ! esxVersion = get_kb_item( \"VMware/ESX/version\" ) ) exit( 0 );\nif( ! esxBuild = get_kb_item( \"VMware/ESX/build\" ) ) exit( 0 );\n\nfixed_builds = make_array( \"6.0.0\", \"5224934\",\n \"6.5.0\", \"5224529\");\n\n\nif( ! fixed_builds[esxVersion] ) exit( 0 );\n\nif( int( esxBuild ) < int( fixed_builds[esxVersion] ) )\n{\n security_message( port:0, data: esxi_remote_report( ver:esxVersion, build: esxBuild, fixed_build: fixed_builds[esxVersion] ) );\n exit(0);\n}\n\nexit( 99 );\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:53", "bulletinFamily": "info", "cvelist": ["CVE-2017-4902", "CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905"], "description": "VMware on Tuesday patched a series of vulnerabilities uncovered earlier this month at Pwn2Own. The flaws enabled an attacker to execute code on a workstation and carry out a virtual machine escape to attack a host server.\n\nMonty Ijzerman, manager of the company\u2019s Security Response Center, confirmed that VMware had [pushed patches](<https://blogs.vmware.com/security/2017/03/vmware-workstation-target-pwn2own-2017.html>) for the bugs, critical and moderate issues in its ESXi, VMware Workstation, and VMware Fusion products.\n\nTwo groups, Qihoo\u2019s 360 Security and Tencent Security\u2019s Team Sniper, used the bugs to exploit the company\u2019s Workstation hypervisor on the last day of the hacking challenge, [two weeks ago](<https://threatpost.com/vm-escape-earns-hackers-105k-at-pwn2own/124397/>), in Vancouver.\n\nmj011sec, a hacker with 360 Security, chained together a type confusion bug in Edge, a Windows kernel bug and an uninitialized buffer in VMware for his exploit, a complete virtual machine escape. Team Sniper, comprised of hackers from China\u2019s Keen Lab and PC Manager, used a Windows kernel bug and two VMware bugs\u2013an info leak and an uninitialized buffer\u2013to go guest-to-host on their machine. The teams collectively earned $205,000 for their exploits.\n\nIt was the first time one team, let alone two, was able to successfully exploit the platform. The Zero Day Initiative and Trend Micro, Pwn2Own sponsors, upped the reward for an escape from $75,000 to $100,000 this year after no one targeted Workstation in 2016.\n\nAccording to [a security advisory](<http://www.vmware.com/security/advisories/VMSA-2017-0006.html>) posted by VMware, 360 Security technically exploited a heap buffer overflow (CVE-2017-4902) and uninitialized stack memory usage vulnerability (CVE-2017-4903) in SVGA, a virtual graphics driver in the hypervisor. The issue that Team Sniper managed to exploit was an uninitialized memory usage vulnerability (CVE-2017-4904) in ESXi, Workstation, and Fusion XHCI. A similar uninitialized memory usage vulnerability (CVE-2017-4905) could have led to an information leak on ESXi, Workstation, and Fusion. All of vulnerabilities, as the teams demonstrated, could have allowed a guest to execute code on the host.\n\nVMware was transparent about the vulnerabilities after they popped up at Pwn2Own.\n\nThe company knew going into the competition that Workstation was a target and acknowledged during the contest that its researchers were investigating the issues after receiving details around them from ZDI, 360 Security, and Team Sniper. The patches took about two weeks to deploy because the company knew the vulnerabilities affected Workstation but were unsure how they affected ESXi and Fusion.\n\nIjzerman says the company is encouraging its customers to expedite updating but stresses that \u201cemergency measures like taking environments offline are not called for.\u201d\n\nIt\u2019s the fifth time this month that VMware has pushed out patches for its customers and the second time this month its pushed out an update for Workstation and Fusion.\n\nThe company, [just two weeks ago](<http://www.vmware.com/security/advisories/VMSA-2017-0004.html>), released an update for several of its products to resolve a publicized [remote code execution vulnerability in Apache Struts 2](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>). The open source extensible framework figures into VMware\u2019s Horizon Desktop as-a-Service Platform, vCenter Server, Operations Manager, and Hyperic Server.\n", "modified": "2017-03-29T16:00:04", "published": "2017-03-29T12:00:04", "id": "THREATPOST:3D162321CB4C6E332F1149049550639B", "href": "https://threatpost.com/vmware-patches-pwn2own-vm-escape-vulnerabilities/124629/", "type": "threatpost", "title": "VMware Patches Pwn2Own VM Escape Vulnerabilities", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "vmware": [{"lastseen": "2019-11-06T16:05:27", "bulletinFamily": "unix", "cvelist": ["CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905", "CVE-2017-4902"], "description": "**a. ESXi, Workstation, Fusion SVGA memory corruption \n**\n\nESXi, Workstation, Fusion have a heap buffer overflow and uninitialized stack memory usage in SVGA. These issues may allow a guest to execute code on the host. \n\n\nVMware would like to thank ZDI and Team 360 Security from Qihoo for reporting these issues to us. \n \n\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-4902 (heap issue) and CVE-2017-4903 (stack issue) to these issues.\n\n \n**Note: ESXi 6.0 is affected by CVE-2017-4903 but not by CVE-2017-4902.**\n\n \nColumn 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. \n\n", "edition": 5, "modified": "2017-03-28T00:00:00", "published": "2017-03-28T00:00:00", "id": "VMSA-2017-0006", "href": "https://www.vmware.com/security/advisories/VMSA-2017-0006.html", "title": "VMware ESXi, Workstation and Fusion updates address critical and moderate security issues", "type": "vmware", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}