VMware patches critical vulnerabilities

VMware released patches last week for several critical security vulnerabilities, just days after two of them were unveiled at a popular Canadian cybersecurity conference.

The company’s updates addressed five critical vulnerabilities in all, covering its vSphere ESX-i, VMware Workstation Pro/Player, and VMware Fusion Pro/Fusion products.

A team calling itself Fluoroacetate exploited the first two flaws during the Pwn2Own contest at the CanSecWest cybersecurity conference, which took place in Vancouver from 20-22 March, earning them a $70,000 reward.

According to VMware’s security advisory, issued on 28 March, these two issues addressed an out-of-bounds read/write vulnerability and a time-of-check time-of-use (TOCTOU) vulnerability in the virtual universal host controller interface used by ESXi, Workstation and Fusion. An attacker must have access to a virtual machine with a virtual USB controller present, the advisory said, adding that it could allow a guest VM to execute code on the host system.

The third and fourth vulnerabilities addressed out-of-bounds write issues in VMware Workstation’s and Fusion’s e1000 and e1000e virtual network adapters. Both of them could allow code execution on the host from a guest, but the latter was more likely to result in a denial of service attack on the guest virtual machine, VMware said.

Finally, VMware said that its Fusion product contains a security vulnerability stemming from an unauthenticated application programming interface (API) that allowed access to an application menu through a web socket.

This could allow an attacker to trick the host user into running malicious JavaScript. The JavaScript can, in turn, manipulate the guest virtual machine via the VMware Tools utility, which allows for enhanced communication between the host and the guest. From there, an attacker could run various commands on the guest machine, the software vendor said, thanking independent researchers CodeColorist (@CodeColorist) and Csaba Fitzl (@theevilbit) for flagging the problem.

Code Colorist originally discovered the basis for this flaw, and Fitzl built on it. In a post detailing the flaw, Fitzl elaborated:

You can fully control all the VMs (also create/delete snapshots, whatever you want) through this websocket interface, including launching apps

Code Colorist explained that you normally see exploits breaking out from the guest virtual machine to the host, but this is a rarer exploit that goes the other way:

These vulnerabilities have been assigned the following CVE numbers, in order, but at the time of writing the details for all entries had not yet been uploaded:


What to do?

VMware advises customers review the patch/release notes for their product and  version. Details about patches for the various products can be found on the security advisory.