Users who run four different types of VMware products, ESXi, vCenter Server, Fusion and Workstation, are being encouraged to update to address a series of vulnerabilities, one critical.
The most serious issue, an out-of-bounds write vulnerability, exists in ESXi, and desktop hypervisors Workstation, and Fusion. An attacker could exploit the issue, which exists in a SVGA device, to execute code on the host, according to a VMware security advisory posted early Friday.
The issue, CVE-2017-4924, discovered by researchers Nico Golde and Ralf-Philipp Weinmann of Comsecuris UG, affects version 6.5 of ESXi but not versions 6.0 and 5.5. It also affects version 12.x of Workstation and version 8.x of Fusion. As the bug could allow code execution it’s marked as critical by VMware.
A NULL pointer dereference vulnerability can also be exploited when the software handles guest RPC requests, something that could allow an attacker with normal user privileges to crash virtual machines.
The moderate severity bug affects version 6.5, 6.0, and 5.5 of ESXi, version 12.x of Workstation, and 8.x of Fusion. Users are urged to apply patches released on Friday as no workaround exist for the vulnerability.
The bug only affects the Windows version 6.5 of vCenter Server; users are encouraged to update to version 6.5 U1 to mitigate it.