VMware Fusion 8.x < 8.5.2 Drag-and-Drop Feature Arbitrary Code Execution (VMSA-2016-0019)

High Nessus Plugin ID 95286


A virtualization application installed on the remote Mac OS X host is affected by an arbitrary code execution vulnerability.


The version of VMware Fusion installed on the remote Mac OS X host is 8.x prior to 8.5.2. It is, therefore, affected by an arbitrary code execution vulnerability in the drag-and-drop feature due to an out-of-bounds memory access error. An attacker within the guest can exploit this to execute arbitrary code on the host system.


Upgrade to VMware Fusion version 8.5.2 or later. Alternatively, disable both the drag-and-drop function and the copy-and-paste function.

See Also


Plugin Details

Severity: High

ID: 95286

File Name: macosx_fusion_vmsa_2016_0019.nasl

Version: $Revision: 1.6 $

Type: local

Agent: macosx

Published: 2016/11/23

Modified: 2017/03/27

Dependencies: 50828

Risk Information

Risk Factor: High


Base Score: 8.5

Temporal Score: 7

Vector: CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND


Base Score: 9.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:vmware:fusion

Required KB Items: Host/local_checks_enabled, installed_sw/VMware Fusion, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/11/13

Vulnerability Publication Date: 2016/11/13

Reference Information

CVE: CVE-2016-7461

BID: 94280

OSVDB: 147086

VMSA: 2016-0019