VMware Patches Pwn2Own VM Escape Vulnerabilities


VMware patched vulnerabilities uncovered earlier this month at Pwn2Own that could have let an attacker execute code on the VMware Workstation and carry out a virtual machine escape.

VMware on Tuesday patched a series of vulnerabilities uncovered earlier this month at Pwn2Own. The flaws enabled an attacker to execute code on a workstation and carry out a virtual machine escape to attack a host server.

Monty Ijzerman, manager of the company’s Security Response Center, confirmed that VMware had pushed patches for the bugs, critical and moderate issues in its ESXi, VMware Workstation, and VMware Fusion products.

Two groups, Qihoo’s 360 Security and Tencent Security’s Team Sniper, used the bugs to exploit the company’s Workstation hypervisor on the last day of the hacking challenge, two weeks ago, in Vancouver.

mj011sec, a hacker with 360 Security, chained together a type confusion bug in Edge, a Windows kernel bug and an uninitialized buffer in VMware for his exploit, a complete virtual machine escape. Team Sniper, comprised of hackers from China’s Keen Lab and PC Manager, used a Windows kernel bug and two VMware bugs–an info leak and an uninitialized buffer–to go guest-to-host on their machine. The teams collectively earned $205,000 for their exploits.

It was the first time one team, let alone two, was able to successfully exploit the platform. The Zero Day Initiative and Trend Micro, Pwn2Own sponsors, upped the reward for an escape from $75,000 to $100,000 this year after no one targeted Workstation in 2016.

According to a security advisory posted by VMware, 360 Security technically exploited a heap buffer overflow (CVE-2017-4902) and uninitialized stack memory usage vulnerability (CVE-2017-4903) in SVGA, a virtual graphics driver in the hypervisor. The issue that Team Sniper managed to exploit was an uninitialized memory usage vulnerability (CVE-2017-4904) in ESXi, Workstation, and Fusion XHCI. A similar uninitialized memory usage vulnerability (CVE-2017-4905) could have led to an information leak on ESXi, Workstation, and Fusion. All of vulnerabilities, as the teams demonstrated, could have allowed a guest to execute code on the host.

VMware was transparent about the vulnerabilities after they popped up at Pwn2Own.

The company knew going into the competition that Workstation was a target and acknowledged during the contest that its researchers were investigating the issues after receiving details around them from ZDI, 360 Security, and Team Sniper. The patches took about two weeks to deploy because the company knew the vulnerabilities affected Workstation but were unsure how they affected ESXi and Fusion.

Ijzerman says the company is encouraging its customers to expedite updating but stresses that “emergency measures like taking environments offline are not called for.”

It’s the fifth time this month that VMware has pushed out patches for its customers and the second time this month its pushed out an update for Workstation and Fusion.

The company, just two weeks ago, released an update for several of its products to resolve a publicized remote code execution vulnerability in Apache Struts 2. The open source extensible framework figures into VMware’s Horizon Desktop as-a-Service Platform, vCenter Server, Operations Manager, and Hyperic Server.

Suggested articles