lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 10 Jul 2017 22:30:22 +0200
From: Florian Bogner <>
Subject: CVE-2017-4918: Code Injection in VMware Horizon’s macOS Client

CVE-2017-4918: Code Injection in VMware Horizon’s macOS Client

Release Date: 10-July-2017
Author: Florian Bogner //
Affected product: VMware Horizon‘s macOS Client
Fixed in: Version 4.5
Tested on: OS X El Capitan 10.11.6
CVE:  CVE-2017-4918
Vulnerability Status: Fixed

Product Description
VMware Horizon 7 is the leading platform for virtual desktops and applications.
Provide end users access to all of their virtual desktops, applications, and online services through a single digital workspace.

Vulnerability Description
An issue within a shell script of VMware Horizon's macOS client could be abused to load arbitrary kernel extensions. In detail, this was possible because a user modifiable environment variable was used to build the command line for a highly privileged command.

Further technical details can be found on my blog:

Suggested Solution
Update to the latest version (fixed in 4.5)

Disclosure Timeline
21-04-2017: The issues has been documented and reported
24-04-2017: VMware started investigating
06-06-2017: Fix ready
08-06-2017: Updated Horizon version 4.5 alongside security advisory VMSA-2017-0011 released

Florian Bogner


Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists