VMware admins and users turn busy: The virtualization virtuoso has fixed a programming error in ESXi, Player, Workstation Pro, Fusion and Fusion Pro products that can be made use by harmful code to leap from guest OS to anchor machine.

The flaw, revealed here, is denominated CVE-2018-6974. The out-of-bounds featured is existing in the products’ SVGA video device technique, and if employed, permits software within a visitor operating system to implement code on the anchor machine. Putting it differently, a hyper-visor visitor diversion. That’s adequate of a benefit increasing to acquire the flaw rated serious around most of the impacted products.

Trend Micro documented the flaw via its Zero Day Initiative, supplied more facts, here.

Zero Day Initiative’s consultative justified: “The specific flaw exists within the handling of virtualised SVGA. The issue results from the lack of proper validation of user-supplied data, which can result in an overflow of a heap-based buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the host OS.”

The flaw options are in the given below table.

Product Version Running on Patched version
ESXi 6.7 ESXi ESXi670-201810101-SG
ESXi 6.5 ESXi ESXi650-201808401-BG
ESXi 6.0 ESXi ESXi600-201808401-BG
Workstation 14.x Any 14.1.3
Fusion 10.x macOS 14.1.3

Advisory points of VMWare to the admissible fixes. We indicate that there is no Fusion 14.1.3 for macOS, therefore Mac Fusion 10.x customers probably require to update to Fusion 11, which is never listed as unsafe.

El Reg indicates that show code is unspecified of a flawbear for VMware. Simply previous week, a returning flaw had admins struggling for fixes. For those unconscious, aka Super Video Graphics Array – SVGA – is a computer displaying measures dating back to the year 1987.

Leave a Reply

Your email address will not be published. Required fields are marked *