VMware addressed Code Execution Flaw in its ESXi, Workstation, and Fusion products
17.10.2018 securityaffairs
Vulnerebility

VMware has addressed a critical arbitrary code execution flaw affecting the SVGA virtual graphics card used by its ESXi, Workstation, and Fusion products.
VMware has released security updated to fix a critical arbitrary code execution vulnerability (CVE-2018-6974) in the SVGA virtual graphics card used by its ESXi, Workstation, and Fusion solutions.

The issue in the VMware products is an out-of-bounds read vulnerability in the SVGA virtual graphics card that could be exploited by a local attacker with low privileges on the system to execute arbitrary code on the host.

“VMware ESXi, Fusion and Workstation contain an out-of-bounds read vulnerability in SVGA device. This issue may allow a guest to execute code on the host.” reads the security advisory published by the company.

VMware credited an anonymous researcher for reporting the flaw through Trend Micro’s Zero Day Initiative (ZDI).

According to the ZDI’s own advisory, the vulnerability was reported to VMware in mid-June.

“This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of VMware Workstation. An attacker must first obtain the ability to execute low-privileged code on the guest system in order to exploit this vulnerability.” read the ZDI’s advisory.

“The specific flaw exists within the handling of virtualized SVGA. The issue results from the lack of proper validation of user-supplied data, which can result in an overflow of a heap-based buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the host OS.”

VMware classified the issue as “medium” severity and assigned it a CVSS score of 6.9.

The same anonymous expert also reported an out-of-bounds write vulnerability in the e1000 virtual network adapter, tracked as CVE-2018-6973, used by Workstation and Fusion.

The CVE-2018-6973 flaw could be exploited by a local attacker to execute arbitrary code, VMware addressed this flaw in September.

This flaw is similar to the previous one, an attacker requires at low-privileged access to the exploit the issue on the target system.

“This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of VMware Workstation. An attacker must first obtain the ability to execute low-privileged code on the guest system in order to exploit this vulnerability.” states ZDI’s advisory,

“The specific flaw exists within the handling of the virtualized e1000 device. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the host OS.”

The cloud computing and platform virtualization company classified also assigned this flaw a CVSS score of 6.9.

In June, the company fixed a critical remote code execution vulnerability in the AirWatch Agent applications for Android and Windows Mobile.