UPDATE 03/15/2018: Added details for Talos-2017-0376/CVE-2018-6957 which has been recently patched.
Today, Talos is disclosing a pair of vulnerabilities in the VNC implementation used in VMWare's products that could result in code execution. VMWare implements VNC for its remote management, remote access, and automation purposes in VMWare products including Workstation, Player, and ESXi which share a common VMW VNC code base. The vulnerabilities manifest themselves in a way that would allow an attacker to initiate of VNC session causing the vulnerabilities to be triggered. Talos has coordinated with VMWare to ensure the issue was disclosed responsibly and patched by the vendor. Additionally, Talos has developed Snort signatures that can detect attempts to exploit these vulnerabilities.
These vulnerabilities were identified using the recently released Decept Proxy and Mutiny Fuzzers. By utilizing these tools fuzzing was quickly able to take place by generating VNC traffic, feeding it through the Decept Proxy, and finally fuzzing the resulting .fuzzer file via Mutiny. This all occurs without knowing anything about the VMWare specific protocol extensions. For more details about the Decept Proxy and Mutiny Fuzzers see our recent blog.
Vulnerability Details
Discovered by Lilith Wyatt <(^_^)> of Cisco Talos
TALOS-2017-0368
TALOS-2017-0368/CVE-2017-4933 is a code execution vulnerability residing in the remote management functionality of VMWare. Along with the standard VNC messages that all VNC server are required to support VMWare uses a custom and proprietary VNC extension that implements new VNC features and also reworks some standard ones. This vulnerability lies in one of these new features, VNWDynResolution, specifically in the VMWDynResolution request. This VMWDynResolution request is one of the few requests that causes the VNC server to read in a user-supplied data. The vulnerability resides in the way the VNC server handles this data and results in a heap corruption that can lead to code execution.
For more technical details, please read our advisory here.
TALOS-2017-0369
TALOS-2017-0369/CVE-2017-4941 is a code execution vulnerability residing in the remote management functionality of VMWare. As specified in the RFB protocol all VNC servers have to support a standard set of VNC messages. It is in this set of message that the vulnerability resides. The relevant messages are VncPointerEvent, VncSetPixelFormat, and VncFrameBufferUpdateRequest. This bug involves asking the VNC server to create a frame buffer (i.e. screenshot) in memory, changing the image format of that buffer to non-Truecolor (i.e. palette-based), and then causing a cursor to be re-rendered upon that buffer. As is a type confusion in the image format of the frame buffer and the cursor, it triggers a chain of events that leads to a high value being written into the cursors PNG infoStuct eventually leading to a loop of reads and writes to the stack resulting in an overflow.
For more technical details, please read our advisory here.
TALOS-2017-0376
TALOS-2017-0376/CVE-2018-6957 is a denial of service vulnerability residing in the remote management functionality of VMWare. VMWare's VNC server is multithreaded and there are locks, semaphores, and mutexes to deal with shared variables, including a global variable that indicates the amount of locks that are currently used. The implementation of this variable is where the flaw exists. The variable can only be incremented, not decremented, and as such an attacker that can initiate a large amount of TCP connections to the VNC server will eventually cause the connected virtual machine to shut down leading to a denial of service condition.
For more technical details, please read our advisory here.
Coverage
Talos has developed the following Snort rules to detect attempts to exploit these vulnerabilities. Note that these rules are subject to change pending additional vulnerability information. For the most current information, please visit your Firepower Management Center or Snort.org.
Snort Rules: 43483-43486
For other vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal: http://www.talosintelligence.com/vulnerability-reports/
To review our Vulnerability Disclosure Policy, please visit this site:
http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html