=?utf-8?Q?CVE-2017-4918=3A_Code_Injection_in_VMware_Horizon?= =?utf-8?Q?=E2=80=99s_macOS_Client?=

--Apple-Mail=_5C5B9DE7-2ECD-4D2C-BECF-7A12E330BD3D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

CVE-2017-4918: Code Injection in VMware Horizon=E2=80=99s macOS Client

Metadata
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
Release Date: 10-July-2017
Author: Florian Bogner // https://bogner.sh
Affected product: VMware Horizon=E2=80=98s macOS Client
Fixed in: Version 4.5
Tested on: OS X El Capitan 10.11.6
CVE:  CVE-2017-4918
URL: =
https://bogner.sh/2017/07/cve-2017-4918-code-injection-in-vmware-horizons-=
macos-client/
Vulnerability Status: Fixed

Product Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
VMware Horizon 7 is the leading platform for virtual desktops and =
applications.
Provide end users access to all of their virtual desktops, applications, =
and online services through a single digital workspace.

Vulnerability Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
An issue within a shell script of VMware Horizons macOS client could be =
abused to load arbitrary kernel extensions. In detail, this was possible =
because a user modifiable environment variable was used to build the =
command line for a highly privileged command.

Further technical details can be found on my blog: =
https://bogner.sh/2017/07/cve-2017-4918-code-injection-in-vmware-horizons-=
macos-client/

Suggested Solution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
Update to the latest version (fixed in 4.5)

Disclosure Timeline
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
21-04-2017: The issues has been documented and reported
24-04-2017: VMware started investigating
06-06-2017: Fix ready
08-06-2017: Updated Horizon version 4.5 alongside security advisory =
VMSA-2017-0011 released

Florian Bogner

eMail: florian@bogner.sh
Web: http://www.bogner.sh
LinkedIn: https://www.linkedin.com/profile/view?id=3D368904276
Xing: https://www.xing.com/profile/Florian_Bogner9

--Apple-Mail=_5C5B9DE7-2ECD-4D2C-BECF-7A12E330BD3D
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZY+PeAAoJEF2taLX4q+obeMEQALBzOP4X6zV140FZxtYOvU+m
v6CkrdPSCDt1Wyw8GqxTXEvRp4qWp5+j7zoUw0XekglMqdN+vJZweLBunONiAERI
x9JOSW4z8L2x0NETFRkaMuDKGuXEyDwOx3iG8TXqb56KbRsF1X5fLevo5jPylvNJ
2fXdot2h0KSe/EXCzApxrqsItubl5ssmBdbIsKbVOCkMvsh87TPcKjbsi8Sl855j
ZIcU3Ea9JqHXkHVC8S1yVf7wWkkBn7ge8CU4PTFdMHNwm7j1ZNGQ9duxc4PPMJ3o
sM06gv/JBJj1fR4g1nz02UrsF9yG6fnQtKmO+0BhGdDJIqmlBR5SKbtILbLR92AH
UOrlDAbYjejaUXuBGZuKoNqfPiTRsKs1T5HIX79+28Q4cSIINji1lnhoUsbeCHGL
Af/fJ3/EvISmTHTVvc9oPN/G4lFbBE+YdDYc7tb57eBKkgFq6ZDnatIOKYayANDV
f9UdU0QenJZ22Hxe5YXEQ/pmFrG8X8AQNNyHnvFqjgqDLG/H7BUQd04ksz99utq5
8wEdJE4rShOALJkZ5cvzIW514aqxKmPfm5WckEi1sIeCGkM5gjOgYpHiMA30MJEx
t1Eeb8nlD0fyhtV6AJs/DOluBXHbSP2dFyxJNmjNKGFz9sgCsAeg06kZyIUnOYVT
GPP6JTszATKhT1DcUO2G
=gibS
-----END PGP SIGNATURE-----

--Apple-Mail=_5C5B9DE7-2ECD-4D2C-BECF-7A12E330BD3D--