CVE-2017-4935 in Workstation
Summary
by MITRE
VMware Workstation (12.x before 12.5.8) and Horizon View Client for Windows (4.x before 4.6.1) contain an out-of-bounds write vulnerability in JPEG2000 parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client. Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View Client.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/24/2021
This vulnerability exists within the TPView.dll component of VMware Workstation and Horizon View Client applications, specifically affecting JPEG2000 image parsing functionality. The out-of-bounds write flaw occurs when processing maliciously crafted JPEG2000 files through the TPView.dll library, which serves as a core component for image handling in these virtualization environments. The vulnerability is classified under CWE-787 as an out-of-bounds write condition that can result in arbitrary code execution or system instability. Attackers can leverage this weakness by crafting specially formatted JPEG2000 images that, when processed by the vulnerable software, trigger memory corruption during parsing operations.
The technical exploitation requires that virtual printing functionality be enabled, which represents a critical attack prerequisite that significantly limits the vulnerability's surface area. In VMware Workstation, this feature remains disabled by default, creating a reduced risk profile for unpatched installations unless administrators have explicitly enabled virtual printing. However, Horizon View Client has virtual printing enabled by default, making it more susceptible to exploitation without additional configuration changes. This default configuration difference creates a significant security disparity between the two products, with Horizon View Client presenting a higher risk profile for organizations that do not immediately address the vulnerability.
The operational impact of this vulnerability extends beyond simple code execution to encompass potential system compromise and denial of service conditions. When exploited, the vulnerability allows guest operating systems to execute arbitrary code on the host Windows system, effectively breaking the isolation that virtualization environments are designed to maintain. This represents a critical escalation of privileges from guest to host, enabling attackers to potentially access sensitive host resources, exfiltrate data, or establish persistent access points within the virtualized environment. The denial of service aspect can be equally disruptive, potentially causing complete system crashes or rendering the virtual machine or desktop environment unusable.
Organizations should prioritize immediate patching of affected VMware products to address this vulnerability, particularly for Horizon View Client installations where the feature is enabled by default. System administrators should also implement network segmentation and access controls to limit exposure, while monitoring for suspicious image processing activities that might indicate exploitation attempts. The vulnerability demonstrates the importance of secure coding practices in virtualization components and highlights the need for comprehensive security testing of third-party libraries used in enterprise virtualization solutions. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and execution through compromised virtualization components, emphasizing the critical nature of maintaining secure virtual machine environments.