VMware has announced two critical vulnerabilities affecting multiple VMware products. CVE-2018-6981 and CVE-2018-6982 reference a guest-to-host escape, and a potential information leak between the host machine and the guest machine. Threat actors could exploit these vulnerabilities to execute code from a guest host machine, gaining root access on the host machine. Exploitation of these vulnerabilities requires either local access or a previous separate exploit to gain remote access. At the time of publishing, no known attacks using these vulnerabilities have been identified in the wild.

What we’re doing about it

  • The eSentire Threat Intelligence Team will continue to monitor for more technical details of the exploit to determine detection strategies
  • Current esRECON checks identify VMware related vulnerabilities, and will be updated to assist in identifying these specific vulnerabilities

What you should do about it

  • After performing a business impact review, apply the VMware security patches [1]

Additional information

Systems are only vulnerable to exploitation if they have vmxnet3 virtual adapters enabled. The security patches released address uninitialized stack memory usage.

Affected VMware products:

  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro, Fusion (Fusion)

Please see the official VMware statement for additional technical details and required patches [1]. 


References:

[1] https://www.vmware.com/security/advisories/VMSA-2018-0027.html

eSentire Media Contact

Rebecca Freiburger | eSentire | [email protected] | +1 226-924-4679

Ready to start the conversation about cybersecurity?

Let's Talk