VMware Issues Security Advisory for Guest-to-Host Escape Vulnerability (CVE-2018-6981)
VMware issued an advisory about two uninitialized stack memory usage bugs and has released patches and updates for some versions of the affected software.
Background
On November 9, VMware published a security advisory to address a Guest-to-Host Escape vulnerability affecting VMware ESXi, Workstation and Fusion. The vulnerability was discovered and released by a security researcher at GeekPwn 2018, an annual security conference in Shanghai, China which took place in late October 2018. The researcher reported the vulnerability to VMware through GeekPwn.
Source: @ChaitinTech on Twitter.
Vulnerability details
According to VMware’s Security Advisory, Zhangyanyu of Chaitin Tech reported two uninitialized stack memory usage bugs (CVE-2018-6981 and CVE-2018-6982) in the vmxnet3 virtual network adapter used in VMware. VMware notes that the vulnerability does not affect non-vmxnet3 virtual network adapters.
Exploitation of CVE-2018-6981 can lead to a guest-to-host escape, allowing the guest to execute code on the host, while exploitation of CVE-2018-6982 can lead to information disclosure from host to guest. In a tweet that includes a video demonstration of the exploit, Chaitin Tech asserts that this is the first time that anyone has escaped VMware EXSi and obtained a root shell on the host.
Urgently required actions
VMware’s Security Advisory includes patch availability details for consumers and businesses. Tenable’s Security Response team strongly encourages patching VMware ESXi versions and upgrading VMware Workstation and VMware Fusion using the table below:
Source: VMware Security Advisory
Identifying affected systems
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Get more information
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Related Articles
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
August 14, 2024Ivanti released a patch for a critical severity authentication bypass vulnerability and a warning that exploit code is publicly available
CVE-2024-20419: Cisco Smart Software Manager On-Prem Password Change Vulnerability
August 9, 2024Critical vulnerability in Cisco Smart Software Manager On-Prem exposes systems to unauthorized password changes, exploit code now available.BackgroundOn July 17, 2024, Cisco published an advisory for ...
Detecting Risky Third-party Drivers on Windows Assets
August 7, 2024Kernel-mode drivers are critical yet risky components of the Windows operating system. Learn about their functionality, the dangers they pose, and how Tenable's new plugins can help identify and mitigate vulnerabilities using community-driven resources like LOLDrivers.
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
August 14, 2024Ivanti released a patch for a critical severity authentication bypass vulnerability and a warning that exploit code is publicly available
Microsoft’s August 2024 Patch Tuesday Addresses 88 CVEs
August 13, 2024Microsoft addresses 88 CVEs with seven critical vulnerabilities and 10 zero-day vulnerabilities, six of which were exploited in the wild.
Compromising Microsoft's AI Healthcare Chatbot Service
August 13, 2024Tenable Research discovered multiple privilege-escalation issues in the Azure Health Bot Service via a server-side request forgery (SSRF), which allowed researchers access to cross-tenant resources.
- Vulnerability Management
- Vulnerability Scanning