VMware announced today it has patched a privilege escalation vulnerability in VMware Workstation.
Workstation is the hypervisor software connecting multiple virtual machines on host hardware. Compromising a hypervisor would give an attacker remote control over a number guest machines; the risk is especially elevated in hosting or service provider environments.
This particular vulnerability is limited to Linux version of VMware Workstation, prior to version 9.0.3.
VMware also patched VMware Player for Linux prior to version 5.0.3.
The vulnerability, VMware said, is a shared library privilege escalation bug. Both Workstation and Player contain the same vulnerability, which could allow a local attacker to escalate privileges all the way to root on the host operating system.
VMplayer is packaged alongside Workstation running the OS image without the need for additional hardware.
“The vulnerability does not allow for privilege escalation from the guest operating system to the host or vice-versa,” the advisory said.
Just about a month ago, VMware patched most of its product line, fixing authentication bypass and denial-of-service bugs in vCenter Server, vCenter Server Appliance, vSphere Update Manager, ESX and ESXi.
The most serious vulnerability was in vCenter Server 5.0 and 5.1 that could enable an attacker to bypass the need for valid credentials under some circumstances. In order for the vulnerability to be exploitable, the affected product must be deployed in an Active Directory environment, VMware said.
