Integer Overflow Vulnerability in VMware Workstation and Horizon View Client
CVE-2017-4913

7.8HIGH

Key Information:

Vendor
Vmware
Status
Workstation
Horizon View Client For Windows
Vendor
CVE Published:
8 June 2017

Summary

VMware Workstation versions prior to 12.5.3 and Horizon View Client versions prior to 4.4.0 are susceptible to an integer overflow vulnerability in the True Type Font parser within TPView.dll. This vulnerability could allow an attacker to execute arbitrary code or cause a Denial of Service on the Windows operating system running the affected VMware software. Importantly, exploitation requires that virtual printing is enabled, a feature that is not enabled by default in Workstation but is active by default in the Horizon View Client. Users are advised to review their configurations and apply the necessary updates to mitigate potential risks.

Affected Version(s)

Horizon View Client for Windows 4.x prior to 4.4.0

Workstation 12.x prior to 12.5.3

References

http://www.securitytracker.com/id/1038281
vdb-entryx_refsource_SECTRACK
http://www.securityfocus.com/bid/97920
vdb-entryx_refsource_BID
http://www.vmware.com/security/advisories/VMSA-2017-0008....
x_refsource_CONFIRM

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.