Virtualization Technology News and Information
VMware Patches Critical VM Escape Vulnerabilities Identified at Pwn2Own


Are you responsible for your organizations VMware environment?  Well, listen up!  VMware has released critical security patches for vulnerabilities found during the recent 2017 Pwn2Own hacking competition which took place at CanSecWest in Vancouver, Canada two weeks ago. 

Pwn2Own is an annual hacking contest organized by Trend Micro's Zero Day Initiative (ZDI) program which operates during the CanSecWest conference.  During the event, researchers can earn cash prizes for demonstrating zero-day exploits against browsers, operating systems and other popular enterprise software programs. 

Last year, VMware's desktop virtualization platform, Workstation, was added to that list of programs.  But in 2016, nobody targeted the hypervisor.  So this year, Pwn2Own sponsors upped the reward for an escape from Workstation from $75,000 to $100,000 to try and get someone's attention.

And they did.  Two teams, Qihoo's 360 Security and Tencent Security's Team Sniper, succeeded in exploiting an arbitrary host code execution against VMware Workstation on the last day of the hacking challenge.  The two teams collectively earned $205,000 for their exploits.

With a quick response, VMware issued patches to address four vulnerabilities which affect VMware ESXi, VMware Fusion and VMware Workstation platforms.  VMSA-2017-0006 contains details on impacted versions and the releases which contain fixes.

The following vulnerabilities were identified and analyzed:

  • SVGA I: CVE-2017-4902 critical
    Heap overflow leading to arbitrary code execution
  • SVGA II: CVE-2017-4903 critical
    Uninitialized stack value leading to arbitrary code execution
  • XHCI: CVE-2017-4904 critical
    Uninitialized stack value leading to arbitrary code execution
  • CVE-2017-4905 moderate
    Uninitialized memory read leading to information disclosure

According to that security advisory posted by VMware, 360 Security exploited a heap buffer overflow (CVE-2017-4902) and uninitialized stack memory usage vulnerability (CVE-2017-4903) in SVGA, a virtual graphics driver in the hypervisor.  Team Sniper managed to exploit an uninitialized memory usage vulnerability (CVE-2017-4904) in ESXi, Workstation and Fusion XHCI.  A similar uninitialized memory usage vulnerability (CVE-2017-4905) could have led to an information leak on ESXi, Workstation and Fusion.  All of these vulnerabilities, as both teams demonstrated, could have allowed a guest to execute code on the host.

A "guest escape" (arbitrary code execution on a virtual machine host) is the worst category of bug for virtualization software.  VMware as a company has done well over these many years in defending against such malicious software, though this is not the first guest escape demonstrated in VMware's history (most notably CVE-2009-1244 "Cloudburst", which also affected the virtual SVGA device implementation).

VMware product users are being advised to update VMware Workstation to version 12.5.5 on all platforms and VMware Fusion to version 8.5.6 on MacOS (OS X).  Individual patches have also been made available for ESXi 6.5, 6.0 U3, 6.0 U2, 6.0 U1 and 5.5, where applicable.  In some cases, VMware users who have yet to upgrade from ESXi 5.5 may have avoided some exploits, but not others.  So it is important to make sure you check each vulnerability to see if your version is affected or not.

VMware also recommends examining their vSphere Hardening Guide and vSphere Security Guide

Don't delay.  Make sure to view VMware Security Advisory VMSA-2017-0006 and identify which of your products should be patched.

Published Thursday, March 30, 2017 9:47 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2017>