VMware Security Announcement VMSA-2021-0009, CVSSv3 Score 3.2

Today VMWare released a new Security Advisory, VMSA-2021-0009. This one affects VMware Workstation and Horizon Client for Windows. The updates address multiple security vulnerabilities (CVE-2021-21987, CVE-2021-21988, CVE-2021-21989).

Impacted Products
  • VMware Workstation Pro / Player (Workstation)
  • VMware Horizon Client for Windows
Introduction

Multiple vulnerabilities in VMware Workstation and Horizon Client for Windows were privately reported to VMware. Updates and workarounds are available to remediate these vulnerabilities in affected VMware products

Multiple out-of-bounds read vulnerabilities via Cortado ThinPrint (CVE-2021-21987, CVE-2021-21988, CVE-2021-21989)

Description

VMware Workstation and Horizon Client for Windows contain multiple out-of-bounds read vulnerabilities in the Cortado ThinPrint component. These issues exist in the TTC and JPEG2000 parsers. VMware has evaluated the severity of these issues to be in the low severity range with a CVSSv3 base score of 3.2.

Known Attack Vectors

A malicious actor with access to a virtual machine or remote desktop may be able to exploit these issues leading to information disclosure from the TPView process running on the system where Workstation or Horizon Client for Windows is installed.

Notes

Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client for Windows.

Resolution

For Horizon Client for Windows version 5.1 and prior, apply fixed version 5.5.2. Download links will be available below.

For Workstation version 16.x. apply patch 16.1.2. Download links will be provided below.

References

VMware Workstation Pro 16.1.2
Downloads and Documentation:
https://www.vmware.com/go/downloadworkstation
https://docs.vmware.com/en/VMware-Workstation-Pro/index.html

VMware Workstation Player 16.1.2
Downloads and Documentation:
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

VMware Horizon Client 5.5.2
https://my.vmware.com/en/web/vmware/downloads/info/slug/desktop_end_user_computing/vmware_horizon_clients/horizon_7_5_0
https://docs.vmware.com/en/VMware-Horizon-Client-for-Windows/5.5.2/rn/horizon-client-windows-552-release-notes.html

Official advisory

VMSA-2021-0009 (vmware.com)

Thanks for reading!