VMware CVE-2018-6981 & CVE-2018-6982

VMware has announced two critical vulnerabilities affecting multiple VMware products. CVE-2018-6981 and CVE-2018-6982 reference a guest-to-host escape, and a potential information leak between the host machine and the guest machine. Threat actors could exploit these vulnerabilities to execute code from a guest host machine, gaining root access on the host machine. Exploitation of these vulnerabilities requires either local access or a previous separate exploit to gain remote access. At the time of publishing, no known attacks using these vulnerabilities have been identified in the wild.

What we’re doing about it

• The eSentire Threat Intelligence Team will continue to monitor for more technical details of the exploit to determine detection strategies
• Current esRECON checks identify VMware related vulnerabilities and will be updated to assist in identifying these specific vulnerabilities

What you should do about it

After performing a business impact review, apply the VMware security patches [1]

Additional information

Systems are only vulnerable to exploitation if they have vmxnet3 virtual adapters enabled. The security patches released address uninitialized stack memory usage.

Affected VMware products:

• VMware vSphere ESXi (ESXi)
• VMware Workstation Pro / Player (Workstation)
• VMware Fusion Pro, Fusion (Fusion)

Please see the official VMware statement for additional technical details and required patches [1].

References:

[1] VMware Security Advisories: VMSA-2018-0027 VMware ESXi, Workstation, and Fusion updates address uninitialized stack memory usage.
https://www.vmware.com/security/advisories/VMSA-2018-0027.html