VMware has announced two critical vulnerabilities affecting multiple VMware products. CVE-2018-6981 and CVE-2018-6982 reference a guest-to-host escape, and a potential information leak between the host machine and the guest machine. Threat actors could exploit these vulnerabilities to execute code from a guest host machine, gaining root access on the host machine. Exploitation of these vulnerabilities requires either local access or a previous separate exploit to gain remote access. At the time of publishing, no known attacks using these vulnerabilities have been identified in the wild.
What we’re doing about it
- The eSentire Threat Intelligence Team will continue to monitor for more technical details of the exploit to determine detection strategies
- Current esRECON checks identify VMware related vulnerabilities and will be updated to assist in identifying these specific vulnerabilities
What you should do about it
After performing a business impact review, apply the VMware security patches [1]
Additional information
Systems are only vulnerable to exploitation if they have vmxnet3 virtual adapters enabled. The security patches released address uninitialized stack memory usage.
Affected VMware products:
- VMware vSphere ESXi (ESXi)
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro, Fusion (Fusion)
Please see the official VMware statement for additional technical details and required patches [1].
References:
[1] VMware Security Advisories: VMSA-2018-0027 VMware ESXi, Workstation, and Fusion updates address uninitialized stack memory usage.
https://www.vmware.com/security/advisories/VMSA-2018-0027.html
