Are you responsible for your organizations VMware environment? Well, listen up!
VMware has released critical security patches for
vulnerabilities found during the recent 2017 Pwn2Own hacking competition which took place at
CanSecWest in Vancouver, Canada two weeks ago.
Pwn2Own is an annual
hacking contest organized by Trend Micro's Zero Day Initiative (ZDI) program which
operates during the CanSecWest conference. During the event, researchers can earn cash
prizes for demonstrating zero-day exploits against browsers, operating systems
and other popular enterprise software programs.
Last year, VMware's desktop virtualization platform,
Workstation, was added to that list of programs. But in 2016, nobody targeted the
hypervisor. So this year, Pwn2Own
sponsors upped the reward for an escape from Workstation from $75,000 to
$100,000 to try and get someone's attention.
And they did. Two teams, Qihoo's 360 Security and Tencent Security's Team
Sniper, succeeded in exploiting an arbitrary
host code execution against VMware Workstation on the last day of the
hacking challenge. The two teams
collectively earned $205,000 for their exploits.
With a quick response, VMware
issued patches to address four vulnerabilities which affect VMware ESXi, VMware
Fusion and VMware Workstation platforms.
VMSA-2017-0006 contains details on impacted versions and the
releases which contain fixes.
The following vulnerabilities
were identified and analyzed:
- SVGA I: CVE-2017-4902 critical
Heap overflow leading to arbitrary code execution
- SVGA II: CVE-2017-4903 critical
Uninitialized stack value leading to arbitrary code execution
- XHCI: CVE-2017-4904 critical
Uninitialized stack value leading to arbitrary code execution
- CVE-2017-4905 moderate
Uninitialized memory read leading to information disclosure
According to that security advisory posted by VMware, 360
Security exploited a heap buffer overflow (CVE-2017-4902) and uninitialized
stack memory usage vulnerability (CVE-2017-4903) in SVGA, a virtual graphics
driver in the hypervisor. Team Sniper
managed to exploit an uninitialized memory usage vulnerability (CVE-2017-4904)
in ESXi, Workstation and Fusion XHCI. A
similar uninitialized memory usage vulnerability (CVE-2017-4905) could have led
to an information leak on ESXi, Workstation and Fusion. All of these vulnerabilities, as both teams
demonstrated, could have allowed a guest to execute code on the host.
A "guest escape" (arbitrary code execution
on a virtual machine host) is the worst category of bug for
virtualization software. VMware as a company has done well over these
many years in defending against such malicious software, though this is
not the first guest escape demonstrated in VMware's history (most notably
CVE-2009-1244 "Cloudburst", which
also affected the virtual SVGA device implementation).
VMware product users are
being advised to update VMware Workstation to version 12.5.5 on all platforms
and VMware Fusion to version 8.5.6 on MacOS (OS X). Individual patches have also been made available
for ESXi 6.5, 6.0 U3, 6.0 U2, 6.0 U1 and 5.5, where applicable. In some cases, VMware users who have yet to
upgrade from ESXi 5.5 may have avoided some exploits, but not others. So it is important to make sure you check each vulnerability to
see if your version is affected or not.
VMware also recommends
examining their vSphere Hardening Guide and vSphere Security Guide.
Don't delay. Make sure to view VMware Security Advisory VMSA-2017-0006
and identify which of your products should be patched.