VMware Security Advisory

VMSA-2020-0026 – ESXi, Workstation, and Fusion Vulnerabilities

VMware has released a new security advisory VMSA-2020-0026: VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005).

Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. This advisory documents the remediation of one critical issue and one important issue.

The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2020-4004 to the use-after-free vulnerability in XHCI USB controller and CVE-2020-4005 to the VMX elevation-of-privilege vulnerability.

Read More
VMware Security Advisory

VMSA-2020-0023 – VMware ESXi, Workstation, Fusion and NSX-T Vulnerabilities

VMware has released a new security advisory VMSA-2020-0023: VMware ESXi, Workstation, Fusion, NSX-T, and vCenter Server Appliance updates address multiple security vulnerabilities. VMware Cloud Foundation is also an impacted product.

ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992)

OpenSLP as used in ESXi has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution. If you can’t upgrade to the fixed version, as a workaround you can disable CIM server, documented in VMware KB 76372.

Affected products:

  • ESXi 7.0 – update to ESXi_7.0.1-0.0.16850804
  • ESXi 6.7 – update to ESXi670-202010401-SG
  • ESXi 6.5 – update to ESXi650-202010401-SG
  • VMware Cloud Foundation 4.x – update to 4.1
  • VMware Cloud Foundation 3.x – update to 3.10.1.1
Read More
VMware Security Advisory

VMware ESXi, Workstation, and Fusion Security Updates – VMSA-2019-0019

VMware has released a new security advisory VMSA-2019-0019 (VMware ESXi, Workstation, and Fusion updates address a denial-of-service vulnerability).

This advisory documents the remediation of one issue, rated with a severity of moderate. VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability in the shader functionality. Successful exploitation of this issue may allow attackers with normal user privileges to create a denial-of-service condition on their own VMs.

Exploitation of this issue require an attacker to have access to a virtual machine with 3D graphics enabled. By default, this functionality is not enabled on ESXi and is enabled on Workstation and Fusion.

The identifier CVE-2019-5536 was assigned to this vulnerability.

Affected products and resolutions:

  • ESXi 6.7 – apply patch ESXi670-201908101-SG
  • ESXi 6.5 – apply patch ESXi650-201910401-SG
  • Workstation 15.x – update to 15.5.0
  • Fusion 11.x – update to 11.5.0

The workaround for this issue involves disabling the 3D-acceleration feature.

Disable 3D-acceleration on ESXi

  • With Host Client or vCenter, go to the individual VM > Edit Settings > Virtual hardware > Video card.
  • If the “3D Graphics” is checked then 3D-acceleration feature is enabled.

Disable 3D-acceleration on Workstation

  • Select virtual machine and select VM > Settings.
  • On the Hardware tab, select Display.
  • If the “Accelerate 3D graphics” is checked then 3D-acceleration feature is enabled.

Disable 3D-acceleration on Fusion

  • From the VMware Fusion menu bar, select Window > Virtual Machine Library.
  • Select a virtual machine and click Settings.
  • In the Settings Window > select Display.
  • If the “Accelerate 3D graphics” is checked then 3D-acceleration feature is enabled.

You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

VMware Security Advisory

VMware ESXi, Workstation, Fusion and vCloud Director Security Updates

VMware has released two new security advisories VMSA-2019-0004 (VMware vCloud Director for Service Providers update resolves a Remote Session Hijack vulnerability) and VMSA-2019-0005 (VMware ESXi, Workstation and Fusion updates address multiple security issues).

The advisories document the remediation of these critical issues:

  • VMware vCloud Director for Service Providers update resolves a Remote Session Hijack vulnerability in the Tenant and Provider Portals. Successful exploitation of this issue may allow a malicious actor to access the Tenant or Provider Portals by impersonating a currently logged in session.
  • VMware ESXi, Workstation and Fusion contain an out-of-bounds read/write vulnerability and a Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface). Exploitation of these issues requires an attacker to have access to a virtual machine with a virtual USB controller present. These issues may allow a guest to execute code on the host.
  • VMware Workstation and Fusion contain an out-of-bounds write vulnerability in the e1000 virtual network adapter. This issue may allow a guest to execute code on the host.
  • VMware Workstation and Fusion updates address an out-of-bounds write vulnerability in the e1000 and e1000e virtual network adapters. Exploitation of this issue may lead to code execution on the host from the guest but it is more likely to result in a denial of service of the guest.
  • VMware Fusion contains a security vulnerability due to certain unauthenticated APIs accessible through a web socket. An attacker may exploit this issue by tricking the host user to execute a JavaScript to perform unauthorized functions on the guest machine where VMware Tools is installed. This may further be exploited to execute commands on the guest machines.
Read More
VMware Security Advisory

VMware Security Advisory – VMSA-2018-0008 – Workstation and Fusion Vulnerability

VMware has released a new security advisory: VMSA-2018-0008 – Workstation and Fusion updates address a denial-of-service vulnerability.

This advisory documents the remediation of one issue, rated with a severity of Important. VMware Workstation and Fusion contain a denial-of-service vulnerability which can be triggered by opening a large number of VNC sessions. A successfully exploitation of the vulnerability will result in a virtual machine shutdown.

The identifier CVE-2018-6957 was assigned to this vulnerability. The vulnerability was discovered by a Cisco Talos researcher.

Read More

VMware Security Advisory

VMware Security Advisory – VMSA-2018-0005 – Workstation and Fusion Updates

VMware has released a new security advisory: VMSA-2018-0005 – VMware Workstation, and Fusion updates resolve use-after-free and integer-overflow vulnerabilities.

This advisory documents the remediation of two issues: one critical (use-after-free vulnerability in VMware NAT service when IPv6 mode is enabled) and one important (an integer overflow vulnerability in VMware NAT service when IPv6 mode is enabled).

Read More

VMSA-2018-0003

VMware Security Advisory VMSA-2018-0003

VMware has released a new security advisory: VMSA-2018-0003 – vRealize Operations for Horizon, vRealize Operations for Published Applications, Workstation, Horizon View Client and Tools updates resolve multiple security vulnerabilities.

This advisory documents the remediation of three important issues: a privilege escalation vulnerability that affects vRealize Operations for Horizon (V4H) and vRealize Operations for Published Applications (V4PA) agents, an out-of-bounds read issue that occurs via Cortado ThinPrint and affects Workstation and Horizon View Client, and a guest access control vulnerability which affects Workstation and Fusion.

Read More

VMSA-2018-0002 Meltdown and Specter

VMware Security Advisory VMSA-2018-0002 – Meltdown and Spectre Vulnerabilities

Google Project Zero released yesterday information about two vulnerabilities with impact to major processors vendors: Meltdown (CVE-2017-5754 – rogue data cache load) and Spectre (CVE-2017-5753 – bounds check bypass & CVE-2017-5715 – branch target injection). Among other organizations, VMware released a security advisory: VMSA-2018-0002 – VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.

How to patch your vCenter / ESXi infrastructure against speculative execution vulnerabilities (Meltdown and Spectre). Products, versions, patches, order of upgrade, dependencies, warnings. VMware Patches for Spectre

Meltdown and Spectre Overview

Meltdown breaks the isolation between user applications and the operating system, and allows an application to access all system memory (this includes kernel allocated memory). Meltdown affects a range of  Intel processors.

Spectre breaks the memory isolation between different applications, and allows an application to force another application to access arbitrary portions of its memory. Spectre affects a wide range of processors: Intel, AMD, and ARM.

“Both of these vulnerabilities are hardware level vulnerabilities that exist because of a flaw in CPU architecture. They are very serious vulnerabilities because they are operating system and software independent. The long term fix for both of these issues will require that CPU makers change the way their chips work, which means redesigning and releasing new chips.” – Defiant

You can find more information on both vulnerabilities on spectreattack.com. For comprehensive technical details, you can refer to these academic papers: Meltdown and Spectre.

Read More

VMware Security Advisory

VMware Security Advisory VMSA-2017-0021

VMware has released a new security advisory: “VMSA-2017-0021 – VMware ESXi, vCenter Server Appliance, Workstation and Fusion updates address multiple security vulnerabilities”.

Among affected products, we find vCenter Server Appliance 6.5, ESXi (5.5, 6.0, and 6.5), Workstation 12.x, and Fusion 8.x.

VMSA-2017-0021 – ESXi, Workstation, and Fusion stack overflow via authenticated VNC session

CVE-2017-4941 – VMware ESXi, Workstation, and Fusion contain a vulnerability that could allow an authenticated VNC session to cause a stack overflow via a specific set of VNC packets. A successful exploitation will result in remote code execution in a virtual machine via the authenticated VNC session. As prerequisites for a successful exploit, VNC must be manually enabled in a virtual machine’s .vmx configuration file and ESXi must be configured to allow VNC traffic through the firewall.

Affected products and versions:

  • ESXi 5.5 and 6.0 (install patches ESXi550-201709101-SG or ESXi600-201711101-SG)
  • Workstation 12.x (upgrade to version 12.5.8)
  • Fusion 8.x (upgrade to version 8.5.9)

Read More