VMware Horizons macOS Client Code Injection

Risk: Medium
Local: Yes
Remote: No

CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

CVE-2017-4918: Code Injection in VMware Horizonas macOS Client Metadata =================================================== Release Date: 10-July-2017 Author: Florian Bogner // https://bogner.sh Affected product: VMware Horizonas macOS Client Fixed in: Version 4.5 Tested on: OS X El Capitan 10.11.6 CVE: CVE-2017-4918 URL: https://bogner.sh/2017/07/cve-2017-4918-code-injection-in-vmware-horizons-macos-client/ Vulnerability Status: Fixed Product Description =================================================== VMware Horizon 7 is the leading platform for virtual desktops and applications. Provide end users access to all of their virtual desktops, applications, and online services through a single digital workspace. Vulnerability Description =================================================== An issue within a shell script of VMware Horizon's macOS client could be abused to load arbitrary kernel extensions. In detail, this was possible because a user modifiable environment variable was used to build the command line for a highly privileged command. Further technical details can be found on my blog: https://bogner.sh/2017/07/cve-2017-4918-code-injection-in-vmware-horizons-macos-client/ Suggested Solution =================================================== Update to the latest version (fixed in 4.5) Disclosure Timeline =================================================== 21-04-2017: The issues has been documented and reported 24-04-2017: VMware started investigating 06-06-2017: Fix ready 08-06-2017: Updated Horizon version 4.5 alongside security advisory VMSA-2017-0011 released Florian Bogner eMail: florian@bogner.sh Web: http://www.bogner.sh LinkedIn: https://www.linkedin.com/profile/view?id=368904276 Xing: https://www.xing.com/profile/Florian_Bogner9



Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com


Back to Top