CVE-2017-4933

Name of the Vulnerable Software and Affected Versions VMware ESXi versions 6.5 before ESXi650-201710401-BG VMware Workstation versions 12.x before 12.5.8 VMware Fusion versions 8.x before 8.5.9

Description The issue allows an authenticated VNC session to cause a heap overflow via a specific set of VNC packets, resulting in heap corruption. Successful exploitation could result in remote code execution in a virtual machine via the authenticated VNC session. Note that for exploitation to be possible in ESXi, VNC must be manually enabled in a virtual machine's .vmx configuration file, and ESXi must be configured to allow VNC traffic through the built-in firewall.

Recommendations For VMware ESXi versions 6.5 before ESXi650-201710401-BG, update to ESXi650-201710401-BG or later. For VMware Workstation versions 12.x before 12.5.8, update to version 12.5.8 or later. For VMware Fusion versions 8.x before 8.5.9, update to version 8.5.9 or later. As a temporary workaround, consider disabling VNC access to virtual machines until a patch is applied.