Greetings from the VMware Security Response Center!

Yesterday Kubernetes disclosed CVE-2018-1002105 – a critical severity vulnerability in the Kubernetes API server. For more details on the vulnerability please see Kubernetes’ announcement here:

https://discuss.kubernetes.io/t/kubernetes-security-announcement-v1-10-11-v1-11-5-v1-12-3-released-to-address-cve-2018-1002105/3700

This vulnerability affects the following VMware products:

-VMware Pivotal Container Service (PKS)
-VMware vCloud Director Container Service Extension (CSE)
-Photon OS

There will be no VMware Security Advisory since remediation for these products has already been documented in a separate advisory or the offering’s github page.

Remediation Information:

PKS – Fixed in 1.2.3
Documentation: https://docs.pivotal.io/runtimes/pks/1-2/release-notes.html
Advisory: https://pivotal.io/security/cve-2018-1002105

CSE – Fixed in 1.2.5
Documentation: https://vmware.github.io/container-service-extension/RELEASE_NOTES.html

Photon OS – Fixed in 1.10.11-1 and 1.11.5-1
Advisory: https://github.com/vmware/photon/wiki/Security-Updates-2-112

For our service offerings that use Kubernetes, mitigations are already in place which have closed down the critical severity attack vector associated with CVE-2018-1002105 while full remediation is in progress.

On November 20th 2018 VMware released the following new security advisory:

VMSA-2018-0029 – vSphere Data Protection (VDP) updates address multiple security issues.

This documents several critical, important and moderate severity issues affecting VDP. VDP is based on Dell EMC Avamar Virtual Edition.

Issue (a) is a critical severity remote code execution vulnerability (CVE-2018-11066). A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary commands on the server.

Issue (b) is an important severity open redirection vulnerability (CVE-2018-11067). A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites.

Issue (c) is an important severity information exposure vulnerability (CVE-2018-11076). VDP Java management console’s SSL/TLS private key may be leaked in the VDP Java management client package. The private key could potentially be used by an unauthenticated attacker on the same data-link layer to initiate a MITM attack on management console users.

Issue (d) is a moderate severity command injection vulnerability (CVE-2018-11077). The ‘getlogs’ troubleshooting utility in VDP contains an OS command injection vulnerability. A malicious admin user may potentially be able to execute arbitrary commands under root privilege.

These issues have been addressed in VDP 6.1.10, 6.1.9 and 6.0.9.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Update November 22, 2018 – Release of VMware Security Advisory VMSA-2018-0030
Today VMware has released the following new security advisory:

VMSA-2018-0030 – VMware Workstation and Fusion updates address an integer overflow issue.

The advisory documents the remediation of the critical severity vulnerability which was demonstrated at the Tianfu Cup PWN Contest.
This issue affects VMware Workstation and VMware Fusion, and may allow a guest to execute code on the host.

Customers should review the security advisory and direct any questions to VMware Support.

Update November 17, 2018
The Tianfu Cup PWN Contest has wrapped up after Day 2. No additional teams targeted VMware Workstation on Day 2.

We are actively working on remediation, of the issue reported on Day 1, for VMware Workstation and Fusion.
VMware vSphere ESXi is unaffected.
We plan on publishing a VMware Security Advisory to provide information on updates for affected products.
As always please sign up for our VMware Security Advisories here for new and updated information.

Update November 16, 2018
Day 1 of the Tianfu Cup PWN Contest has finished in Chengdu. VMware Workstation is a target at this competition.

One researcher has shown that he could execute code on the VMware Workstation host from the guest. We are currently investigating the issue after having received the details. We are actively working on its remediation and we plan on publishing a VMware Security Advisory to provide information on updates for affected products.

We would like to thank the Tianfu Cup organisers and VictorV for working with us to address the issue.

Original Post
We wanted to post a quick acknowledgement that VMware has representatives in attendance at the Tianfu Cup PWN Contest in Chengdu, China to review any vulnerabilities that may be demonstrated during the contest.

We would like to thank the organisers for inviting us to attend. Stay tuned for further updates.

As always please sign up for our VMware Security Advisories here for new and updated information.

Update November 9, 2018 – Release of VMware Security Advisory VMSA-2018-0027

Today, VMware has released the following new security advisory:

VMSA-2018-0027 VMware ESXi, Workstation, and Fusion updates address uninitialized stack memory usage

The advisory documents the remediation of the critical and important security vulnerabilities that were demonstrated in the GeekPwn2018 event. These issues affect ESXi, VMware Workstation, and VMware Fusion, and may allow a guest to execute code on the host.

Customers should review the security advisory and direct any questions to VMware Support.

Original post
VMware is aware of the security vulnerability that was demonstrated at the GeekPwn2018 event. We have been in contact with the organizers of GeekPwn2018 and they have provided us with the details of the issue. We are actively working on its remediation and we plan on publishing a VMware Security Advisory to provide information on updates for affected products.

Please sign up for VMware Security Advisories (here) to be notified when this advisory and future advisories are published.

We would like to thank the organizers of GeekPwn2018 and security researcher Zhangyanyu for working with us on responsible disclosure of this issue.

Today, VMware has released the following new security advisory:

VMSA-2018-0026 – VMware ESXi, Workstation, and Fusion updates address an out-of-bounds read vulnerability

The advisory documents the remediation of a Critical severity out-of-bounds read vulnerability (CVE-2018-6974) in VMware ESXi, Workstation, and Fusion. The issue exists in SVGA device and may allow a guest to execute code on the host.

We would like to thank Anonymous working with Trend Micro’s Zero Day Initiative for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

Today, VMware has released the following new security advisory:

VMSA-2018-0025 – VMware ESXi, Workstation, and Fusion workarounds address a denial-of-service vulnerability

This documents an important severity denial-of-service vulnerability that affects VMware ESXi, Workstation and Fusion. This issue arises due to an infinite loop in the 3D-rendering shader. Successfully exploiting this issue may allow an attacker with normal user privileges in the guest to make the VM unresponsive, and in some cases, possibly result other VMs on the host or the host itself becoming unresponsive. The issue can only be exploited if 3D-acceleration feature is enabled

3D-acceleration feature is enabled by default on Workstation and Fusion. On ESXi, this feature is not enabled by default and this is also true for Horizon 6 & 7, Horizon DaaS Platform for Service Providers, and VMC on AWS.

Because many graphics API’s and hardware lack pre-emption support, a specially crafted 3D shader may loop for an infinite amount of time and lock up a VM’s virtual graphics device. Such a shader cannot always be validated by VMware hypervisors, since it may be well-formed but still cause problems if designed to run for an extremely long time. In such cases, VMware hypervisors then rely on the host’s graphics driver to ensure that other users of 3D graphics on the host are not impacted by the malicious VM. However, many graphics drivers may themselves get into to a denial-of-service condition caused by such infinite shaders, and as a result other VMs or processes running on the host might also be affected.

There is no patch for this issue, customers must review their risk and apply the workarounds if applicable. We have released workarounds documented in VMSA-2018-0025.

We would like to thank Piotr Bania of Cisco Talos for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Also, we wanted to make you aware that Intel has released a security bulletin entitled “INTEL-SA-00166 – Multiple potential security vulnerabilities in Intel Graphics Drivers may allow escalation of privilege or denial of service . Intel is releasing Intel Graphics Driver updates to mitigate these potential vulnerabilities”.

It documents the remediation of CVE-2018-12152, CVE-2018-12153 and CVE-2018-12154. These issues have been shown to affect VMware Workstation running on Windows. Therefore, we wanted to make sure you are informed of these issues so that they can be appropriately mitigated by the updates that Intel has provided in INTEL-SA-00166.

Customers should review the available documentation and direct technical inquiries to VMware Support for further assistance.

Today, VMware has released the following new and updated security advisories:

VMSA-2018-0022 – VMware Workstation and Fusion updates address an out-of-bounds write issue
VMSA-2018-0019.1 – Horizon 6, 7, Horizon Agent, and Horizon Client for Windows updates address an out-of-bounds read vulnerability

VMSA-2018-0022 documents the remediation of a critical severity out-of-bounds read vulnerability (CVE-2018-6973) in VMware Workstation and Fusion. Successfully exploiting this issue may allow allow a guest to execute code on the host. This issue has been addressed in VMware Workstation 14.1.3 and Fusion 10.1.3.

VMSA-2018-0019.1 was updated to clarify about affected products.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.