VMware Patches Bug That Allows Guest to Execute Code on Host

Users who run four different types of VMware products, ESXi, vCenter Server, Fusion and Workstation, are being encouraged to update to address a series of vulnerabilities, one critical.

Users who run four different types of VMware products, ESXi, vCenter Server, Fusion and Workstation, are being encouraged to update to address a series of vulnerabilities, one critical.

The most serious issue, an out-of-bounds write vulnerability, exists in ESXi, and desktop hypervisors Workstation, and Fusion. An attacker could exploit the issue, which exists in a SVGA device, to execute code on the host, according to a VMware security advisory posted early Friday.

The issue, CVE-2017-4924, discovered by researchers Nico Golde and Ralf-Philipp Weinmann of Comsecuris UG, affects version 6.5 of ESXi but not versions 6.0 and 5.5. It also affects version 12.x of Workstation and version 8.x of Fusion. As the bug could allow code execution it’s marked as critical by VMware.

A NULL pointer dereference vulnerability can also be exploited when the software handles guest RPC requests, something that could allow an attacker with normal user privileges to crash virtual machines.

The moderate severity bug affects version 6.5, 6.0, and 5.5 of ESXi, version 12.x of Workstation, and 8.x of Fusion. Users are urged to apply patches released on Friday as no workaround exist for the vulnerability.

The last vulnerability VMware warned about on Friday only affects vCenter Server, a platform designed to help users manage vSphere environments. An attacker with VC user privileges could inject malicious JavaScript and exploit a stored cross-site scripting bug in the platform’s HTML5 Client. The bug could be executed when other VC users access the page, VMware warns.

The bug only affects the Windows version 6.5 of vCenter Server; users are encouraged to update to version 6.5 U1 to mitigate it.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.