Vulnerability Name:

CVE-2017-4941 (CCN-136594)

Assigned:2016-12-26
Published:2017-12-19
Updated:2022-02-03
Summary:VMware ESXi (6.0 before ESXi600-201711101-SG, 5.5 ESXi550-201709101-SG), Workstation (12.x before 12.5.8), and Fusion (8.x before 8.5.9) contain a vulnerability that could allow an authenticated VNC session to cause a stack overflow via a specific set of VNC packets. Successful exploitation of this issue could result in remote code execution in a virtual machine via the authenticated VNC session.
Note: In order for exploitation to be possible in ESXi, VNC must be manually enabled in a virtual machine's .vmx configuration file. In addition, ESXi must be configured to allow VNC traffic through the built-in firewall.
CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.0 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-119
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2017-4941

Source: CCN
Type: SECTRACK ID: 1040024
VMware ESXi Buffer Overflows in Processing VNC Packets Let Remote Authenticated Users Execute Arbitrary Code and an Input Validation Flaw in the Host Client Lets Remote Users Conduct Cross-Site Scripting Attacks

Source: CCN
Type: SECTRACK ID: 1040025
VMware Workstation and Fusion Buffer Overflows in Processing VNC Packets Let Remote Authenticated Users Execute Arbitrary Code

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1040024

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1040025

Source: XF
Type: UNKNOWN
vmware-cve20174941-bo(136594)

Source: CCN
Type: Talos Vulnerability Report TALOS-2017-0369
VMware VNC Pointer Decode Code Execution Vulnerability

Source: CCN
Type: VMware Security Advisory VMSA-2017-0021
VMware ESXi, vCenter Server Appliance, Workstation and Fusion updates address multiple security vulnerabilities

Source: CONFIRM
Type: Issue Tracking, Patch, Vendor Advisory
https://www.vmware.com/security/advisories/VMSA-2017-0021.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:vmware:fusion:*:*:*:*:*:*:*:* (Version >= 8.0.0 and < 8.5.9)
  • AND
  • cpe:/o:apple:mac_os_x:-:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:vmware:workstation:*:*:*:*:*:*:*:* (Version >= 12.0.0 and < 12.5.8)

    • Configuration 3:
  • cpe:/o:vmware:esxi:5.5:-:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:5.5:550-20170901001s:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:5.5:550-20170904001:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/o:vmware:esxi:6.0:-:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:1:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:1a:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:1b:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:2:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:3:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:3a:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201504401:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201505401:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201507101:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201507102:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201507401:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201507402:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201507403:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201507404:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201507405:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201507406:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201507407:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201509101:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201509102:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201509201:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201509202:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201509203:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201509204:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201509205:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201509206:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201509207:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201509208:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201509209:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201509210:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201510401:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201511401:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201601101:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201601102:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201601401:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201601402:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201601403:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201601404:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201601405:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201602401:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201603101:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201603102:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201603201:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201603202:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201603203:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201603204:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201603205:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201603206:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201603207:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201603208:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201605401:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201608101:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201608401:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201608402:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201608403:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201608404:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201608405:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201610410:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201611401:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201611402:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201611403:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201702101:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201702102:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201702201:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201702202:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201702203:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201702204:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201702205:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201702206:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201702207:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201702208:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201702209:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201702210:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201702211:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201702212:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201703401:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201706101:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201706102:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201706103:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201706401:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201706402:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201706403:*:*:*:*:*:*
  • OR cpe:/o:vmware:esxi:6.0:600-201710301:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:vmware:esxi:6.5:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:workstation:12.5.6:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:fusion:8.5.7:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    vmware fusion *
    apple mac os x -
    vmware workstation *
    vmware esxi 5.5 -
    vmware esxi 5.5 550-20170901001s
    vmware esxi 5.5 550-20170904001
    vmware esxi 6.0 -
    vmware esxi 6.0 1
    vmware esxi 6.0 1a
    vmware esxi 6.0 1b
    vmware esxi 6.0 2
    vmware esxi 6.0 3
    vmware esxi 6.0 3a
    vmware esxi 6.0 600-201504401
    vmware esxi 6.0 600-201505401
    vmware esxi 6.0 600-201507101
    vmware esxi 6.0 600-201507102
    vmware esxi 6.0 600-201507401
    vmware esxi 6.0 600-201507402
    vmware esxi 6.0 600-201507403
    vmware esxi 6.0 600-201507404
    vmware esxi 6.0 600-201507405
    vmware esxi 6.0 600-201507406
    vmware esxi 6.0 600-201507407
    vmware esxi 6.0 600-201509101
    vmware esxi 6.0 600-201509102
    vmware esxi 6.0 600-201509201
    vmware esxi 6.0 600-201509202
    vmware esxi 6.0 600-201509203
    vmware esxi 6.0 600-201509204
    vmware esxi 6.0 600-201509205
    vmware esxi 6.0 600-201509206
    vmware esxi 6.0 600-201509207
    vmware esxi 6.0 600-201509208
    vmware esxi 6.0 600-201509209
    vmware esxi 6.0 600-201509210
    vmware esxi 6.0 600-201510401
    vmware esxi 6.0 600-201511401
    vmware esxi 6.0 600-201601101
    vmware esxi 6.0 600-201601102
    vmware esxi 6.0 600-201601401
    vmware esxi 6.0 600-201601402
    vmware esxi 6.0 600-201601403
    vmware esxi 6.0 600-201601404
    vmware esxi 6.0 600-201601405
    vmware esxi 6.0 600-201602401
    vmware esxi 6.0 600-201603101
    vmware esxi 6.0 600-201603102
    vmware esxi 6.0 600-201603201
    vmware esxi 6.0 600-201603202
    vmware esxi 6.0 600-201603203
    vmware esxi 6.0 600-201603204
    vmware esxi 6.0 600-201603205
    vmware esxi 6.0 600-201603206
    vmware esxi 6.0 600-201603207
    vmware esxi 6.0 600-201603208
    vmware esxi 6.0 600-201605401
    vmware esxi 6.0 600-201608101
    vmware esxi 6.0 600-201608401
    vmware esxi 6.0 600-201608402
    vmware esxi 6.0 600-201608403
    vmware esxi 6.0 600-201608404
    vmware esxi 6.0 600-201608405
    vmware esxi 6.0 600-201610410
    vmware esxi 6.0 600-201611401
    vmware esxi 6.0 600-201611402
    vmware esxi 6.0 600-201611403
    vmware esxi 6.0 600-201702101
    vmware esxi 6.0 600-201702102
    vmware esxi 6.0 600-201702201
    vmware esxi 6.0 600-201702202
    vmware esxi 6.0 600-201702203
    vmware esxi 6.0 600-201702204
    vmware esxi 6.0 600-201702205
    vmware esxi 6.0 600-201702206
    vmware esxi 6.0 600-201702207
    vmware esxi 6.0 600-201702208
    vmware esxi 6.0 600-201702209
    vmware esxi 6.0 600-201702210
    vmware esxi 6.0 600-201702211
    vmware esxi 6.0 600-201702212
    vmware esxi 6.0 600-201703401
    vmware esxi 6.0 600-201706101
    vmware esxi 6.0 600-201706102
    vmware esxi 6.0 600-201706103
    vmware esxi 6.0 600-201706401
    vmware esxi 6.0 600-201706402
    vmware esxi 6.0 600-201706403
    vmware esxi 6.0 600-201710301
    vmware esxi 6.5
    vmware workstation 12.5.6
    vmware fusion 8.5.7