VMware admins and users turn busy: The virtualization virtuoso has fixed a programming error in ESXi, Player, Workstation Pro, Fusion and Fusion Pro products that can be made use by harmful code to leap from guest OS to anchor machine.
The flaw, revealed here, is denominated CVE-2018-6974. The out-of-bounds featured is existing in the products’ SVGA video device technique, and if employed, permits software within a visitor operating system to implement code on the anchor machine. Putting it differently, a hyper-visor visitor diversion. That’s adequate of a benefit increasing to acquire the flaw rated serious around most of the impacted products.
Trend Micro documented the flaw via its Zero Day Initiative, supplied more facts, here.
Zero Day Initiative’s consultative justified: “The specific flaw exists within the handling of virtualised SVGA. The issue results from the lack of proper validation of user-supplied data, which can result in an overflow of a heap-based buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the host OS.”
The flaw options are in the given below table.
Product | Version | Running on | Patched version |
ESXi | 6.7 | ESXi | ESXi670-201810101-SG |
ESXi | 6.5 | ESXi | ESXi650-201808401-BG |
ESXi | 6.0 | ESXi | ESXi600-201808401-BG |
Workstation | 14.x | Any | 14.1.3 |
Fusion | 10.x | macOS | 14.1.3 |
Advisory points of VMWare to the admissible fixes. We indicate that there is no Fusion 14.1.3 for macOS, therefore Mac Fusion 10.x customers probably require to update to Fusion 11, which is never listed as unsafe.
El Reg indicates that show code is unspecified of a flawbear for VMware. Simply previous week, a returning flaw had admins struggling for fixes. For those unconscious, aka Super Video Graphics Array – SVGA – is a computer displaying measures dating back to the year 1987.