Critical VMware vulnerability, patch and update now


On September 15, VMware issued a notice that some versions of ESXi, Workstation and Fusion are affected by an out-of-bounds write vulnerability.

VMware makes virtualisation software that allows one computer (the host) to pretend to be one or more pseudo-computers (the guests).

Each guest is a “virtual machine” or VM that thinks it’s a real computer. The VMs are isolated from each other and the host by the virtualisation software.

That isolation is especially important in a hosting environment, where one physical server may provide virtual server instances to several different customers at the same time.

The out-of-bounds write vulnerability in VMware’s products allows guests to break out of their isolation—an attacker could escape the confines of a virtual machine and execute malicious code on the machine the VM is running on.

The impact of this vulnerability is potentially quite high, which is why VMware rates this vulnerability as critical; however, the Zero Day Initiative, which worked with the two researchers who discovered this issue to disclose it to VMware, gives this vulnerability only a medium score of 6.2.

The nuance behind ZDI’s reasoning is that while the impact is potentially high, this is not an easy vulnerability to exploit—it requires local access (either physical access or local shell), and the access complexity is high—in this case, the attacker must already be able to execute low-privilege code on the virtual machine to trigger this vulnerability.

Thankfully VMware issued a fix for this vulnerability (CVE-2017-4924 for those keeping track at home), so the standard advice of “patch ASAP” applies.

ESXi version 6.5, Workstation 12.x, and Fusion 8.x on OSX are all vulnerable to this bug, so update as soon as you can if you haven’t yet.