VMware has announced two critical vulnerabilities affecting multiple VMware products. CVE-2018-6981 and CVE-2018-6982 reference a guest-to-host escape, and a potential information leak between the host machine and the guest machine. Threat actors could exploit these vulnerabilities to execute code from a guest host machine, gaining root access on the host machine. Exploitation of these vulnerabilities requires either local access or a previous separate exploit to gain remote access. At the time of publishing, no known attacks using these vulnerabilities have been identified in the wild.

What we’re doing about it

  • The eSentire Threat Intelligence Team will continue to monitor for more technical details of the exploit to determine detection strategies
  • Current esRECON checks identify VMware related vulnerabilities and will be updated to assist in identifying these specific vulnerabilities

What you should do about it

After performing a business impact review, apply the VMware security patches [1]

Additional information

Systems are only vulnerable to exploitation if they have vmxnet3 virtual adapters enabled. The security patches released address uninitialized stack memory usage.

Affected VMware products:

  • VMware vSphere ESXi (ESXi)
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro, Fusion (Fusion)

Please see the official VMware statement for additional technical details and required patches [1]. 

 


References:

[1] VMware Security Advisories: VMSA-2018-0027 VMware ESXi, Workstation, and Fusion updates address uninitialized stack memory usage.
https://www.vmware.com/security/advisories/VMSA-2018-0027.html

See the latest security advisories

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory and Managed Prevention capabilities.