VMware Host Code Execution Vulnerabilities

The most severe relates to an out-of-bounds write vulnerability in SVGA, affecting VMware ESXi, Workstation and Fusion. The flaw is due to improper validation of user data that allows an allocated buffer within memory to be overflowed allowing portions of memory to be modified that are allocated to other processes. For this vulnerability to be exploited an attacker would need to gain low-level privileges on the guest Virtual Machine (VM) and hence operators of untrusted guests need to ensure remediation activity relating to this vulnerability are prioritised. ESXi version 5.5 and 6.0 were proven not to be vulnerable while 6.5 proved vulnerable also affecting versions 12.x of Workstation and version 8.x of Fusion.

The second disclosed vulnerability is described as a guest remote procedure call (RPC) NULL pointer dereference vulnerability. The vulnerability is a denial of service (DoS) type where an attacker with an unprivileged account on a guest can cause the virtual environment to crash. The vulnerability affected ESXi versions 5.5, 6.0 and 6.5 as well as Workstation 12.x and Fusion 8.x.

The final vulnerability is described as a Stored Cross-site scripting (XSS) in HTML 5 Client that affects vCenter 5.5, 6.0 and 6.5. A vulnerability of this type is usually exploitable through a user text box of a graphical user interface, where a malicious attacker can store a script within the text box and saves in a certain way that when another user views the resulting output page the script is executed on the user’s system. This is often used as a privilege escalation attack where a low privilege account can leave a malicious script to target an administrator level user. This vulnerability relies on the attacker having already gained access to a vCentre level account.