cv-announce-l@list.iu.edu
Subject: cv alerts list
List archive
[cv-announce-l] VMware Out-of-bounds write vulnerability in SVGA (CVE-2017-4924)
Chronological Thread
- From: Warren Raquel <wraquel@illinois.edu>
- To: <cv-announce@trustedci.org>
- Subject: [cv-announce-l] VMware Out-of-bounds write vulnerability in SVGA (CVE-2017-4924)
- Date: Thu, 21 Sep 2017 15:00:41 -0500
CI Operators:
VMware ESXi, Workstation and Fusion contain an out-of-bounds write
vulnerability in SVGA device. This issue may allow a guest to execute code on
the host.
An attacker must already have low-level access within a guest system to
leverage this vulnerability which lies in a legacy SVGA driver. Severity will
vary depending on your environment, however, VMware has rated this Critical
due to the potential impact. Currently we have heard of no reported proof of
concepts in the wild as of this notification.
Impact:
Due to this vulnerability it is possible for an attacker with appropriate
access to a guest virtual machine to be able to execute code on the
hypervisor host itself.
Affected Systems:
* ESXi 6.5
* Workstation 12.x
* Fusion 8.x
Mitigation/Resolution:
If you host virtual machines that allow untrusted users or processes to run
you may wish to consider patching as soon as possible. We recommend patching
as soon as you can and certainly within your next patching cycle. VMware has
already supplied patches/upgrades to resolve this issue:
* ESXi 6.5 - ESXi650-201707101-SG
* Workstation 12.5.7
* Fusion 8.5.8
References:
* https://www.vmware.com/security/advisories/VMSA-2017-0015.html
*
https://www.us-cert.gov/ncas/current-activity/2017/09/15/VMware-Releases-Security-Updates
*
https://nakedsecurity.sophos.com/2017/09/21/critical-vmware-vulnerability-patch-and-update-now/
* http://www.zerodayinitiative.com/advisories/ZDI-17-738/
How CTSC can help:
The potential impact of any vulnerability, and therefore the appropriate
response, depends in part on operational conditions that are unique to each
cyberinfrastructure deployment. CTSC can not provide a one-size-fits-all
severity rating and response recommendation for all NSF cyberinfrastructure.
Please contact us (http://trustedci.org/help/) if you need assistance with
assessing the potential impact of this vulnerability in your environment
and/or you have additional information about this issue that should be shared
with the community.
Attachment:
signature.asc
Description: OpenPGP digital signature
- [cv-announce-l] VMware Out-of-bounds write vulnerability in SVGA (CVE-2017-4924), Warren Raquel, 09/21/2017
Archive powered by MHonArc 2.6.24.