BugTraq
CVE-2017-4918: Code Injection in VMware Horizonâ??s macOS Client Jul 10 2017 08:30PM
Florian Bogner (florian bogner sh)
CVE-2017-4918: Code Injection in VMware Horizonâ??s macOS Client

Metadata
===================================================
Release Date: 10-July-2017
Author: Florian Bogner // https://bogner.sh
Affected product: VMware Horizonâ??s macOS Client
Fixed in: Version 4.5
Tested on: OS X El Capitan 10.11.6
CVE: CVE-2017-4918
URL: https://bogner.sh/2017/07/cve-2017-4918-code-injection-in-vmware-horizon
s-macos-client/
Vulnerability Status: Fixed

Product Description
===================================================
VMware Horizon 7 is the leading platform for virtual desktops and applications.
Provide end users access to all of their virtual desktops, applications, and online services through a single digital workspace.

Vulnerability Description
===================================================
An issue within a shell script of VMware Horizon's macOS client could be abused to load arbitrary kernel extensions. In detail, this was possible because a user modifiable environment variable was used to build the command line for a highly privileged command.

Further technical details can be found on my blog: https://bogner.sh/2017/07/cve-2017-4918-code-injection-in-vmware-horizon
s-macos-client/

Suggested Solution
===================================================
Update to the latest version (fixed in 4.5)

Disclosure Timeline
===================================================
21-04-2017: The issues has been documented and reported
24-04-2017: VMware started investigating
06-06-2017: Fix ready
08-06-2017: Updated Horizon version 4.5 alongside security advisory VMSA-2017-0011 released

Florian Bogner

eMail: florian (at) bogner (dot) sh [email concealed]
Web: http://www.bogner.sh
LinkedIn: https://www.linkedin.com/profile/view?id=368904276
Xing: https://www.xing.com/profile/Florian_Bogner9
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZY+PeAAoJEF2taLX4q+obeMEQALBzOP4X6zV140FZxtYOvU+m
v6CkrdPSCDt1Wyw8GqxTXEvRp4qWp5+j7zoUw0XekglMqdN+vJZweLBunONiAERI
x9JOSW4z8L2x0NETFRkaMuDKGuXEyDwOx3iG8TXqb56KbRsF1X5fLevo5jPylvNJ
2fXdot2h0KSe/EXCzApxrqsItubl5ssmBdbIsKbVOCkMvsh87TPcKjbsi8Sl855j
ZIcU3Ea9JqHXkHVC8S1yVf7wWkkBn7ge8CU4PTFdMHNwm7j1ZNGQ9duxc4PPMJ3o
sM06gv/JBJj1fR4g1nz02UrsF9yG6fnQtKmO+0BhGdDJIqmlBR5SKbtILbLR92AH
UOrlDAbYjejaUXuBGZuKoNqfPiTRsKs1T5HIX79+28Q4cSIINji1lnhoUsbeCHGL
Af/fJ3/EvISmTHTVvc9oPN/G4lFbBE+YdDYc7tb57eBKkgFq6ZDnatIOKYayANDV
f9UdU0QenJZ22Hxe5YXEQ/pmFrG8X8AQNNyHnvFqjgqDLG/H7BUQd04ksz99utq5
8wEdJE4rShOALJkZ5cvzIW514aqxKmPfm5WckEi1sIeCGkM5gjOgYpHiMA30MJEx
t1Eeb8nlD0fyhtV6AJs/DOluBXHbSP2dFyxJNmjNKGFz9sgCsAeg06kZyIUnOYVT
GPP6JTszATKhT1DcUO2G
=gibS
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus