VMware released patches last week for several critical security vulnerabilities, just days after two of them were unveiled at a popular Canadian cybersecurity conference.
The company’s updates addressed five critical vulnerabilities in all, covering its vSphere ESX-i, VMware Workstation Pro/Player, and VMware Fusion Pro/Fusion products.
A team calling itself Fluoroacetate exploited the first two flaws during the Pwn2Own contest at the CanSecWest cybersecurity conference, which took place in Vancouver from 20-22 March, earning them a $70,000 reward.
According to VMware’s security advisory, issued on 28 March, these two issues addressed an out-of-bounds read/write vulnerability and a time-of-check time-of-use (TOCTOU) vulnerability in the virtual universal host controller interface used by ESXi, Workstation and Fusion. An attacker must have access to a virtual machine with a virtual USB controller present, the advisory said, adding that it could allow a guest VM to execute code on the host system.
The third and fourth vulnerabilities addressed out-of-bounds write issues in VMware Workstation’s and Fusion’s e1000 and e1000e virtual network adapters. Both of them could allow code execution on the host from a guest, but the latter was more likely to result in a denial of service attack on the guest virtual machine, VMware said.
Finally, VMware said that its Fusion product contains a security vulnerability stemming from an unauthenticated application programming interface (API) that allowed access to an application menu through a web socket.
Code Colorist originally discovered the basis for this flaw, and Fitzl built on it. In a post detailing the flaw, Fitzl elaborated:
You can fully control all the VMs (also create/delete snapshots, whatever you want) through this websocket interface, including launching apps
Code Colorist explained that you normally see exploits breaking out from the guest virtual machine to the host, but this is a rarer exploit that goes the other way:
Usually we see guest-to-host escapes from the advisory. By contrast, this is a “host browser to guest RCE” and a web vulnerability after all 🤔 https://t.co/lX78O9j2Ir— CodeColorist (@CodeColorist) April 1, 2019
These vulnerabilities have been assigned the following CVE numbers, in order, but at the time of writing the details for all entries had not yet been uploaded:
What to do?
VMware advises customers review the patch/release notes for their product and version. Details about patches for the various products can be found on the security advisory.