Home > Blogs > VMware Security & Compliance Blog

New VMware Security Advisory VMSA-2018-0026

Today, VMware has released the following new security advisory:

VMSA-2018-0026 – VMware ESXi, Workstation, and Fusion updates address an out-of-bounds read vulnerability

The advisory documents the remediation of a Critical severity out-of-bounds read vulnerability (CVE-2018-6974) in VMware ESXi, Workstation, and Fusion. The issue exists in SVGA device and may allow a guest to execute code on the host.

We would like to thank Anonymous working with Trend Micro’s Zero Day Initiative for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

New VMSA-2018-0025 and Intel Graphics Driver Unified Shader Compiler Security Updates

Today, VMware has released the following new security advisory:

VMSA-2018-0025VMware ESXi, Workstation, and Fusion workarounds address a denial-of-service vulnerability

This documents an important severity denial-of-service vulnerability that affects VMware ESXi, Workstation and Fusion. This issue arises due to an infinite loop in the 3D-rendering shader. Successfully exploiting this issue may allow an attacker with normal user privileges in the guest to make the VM unresponsive, and in some cases, possibly result other VMs on the host or the host itself becoming unresponsive. The issue can only be exploited if 3D-acceleration feature is enabled

3D-acceleration feature is enabled by default on Workstation and Fusion. On ESXi, this feature is not enabled by default and this is also true for Horizon 6 & 7, Horizon DaaS Platform for Service Providers, and VMC on AWS.

Because many graphics API’s and hardware lack pre-emption support, a specially crafted 3D shader may loop for an infinite amount of time and lock up a VM’s virtual graphics device. Such a shader cannot always be validated by VMware hypervisors, since it may be well-formed but still cause problems if designed to run for an extremely long time. In such cases, VMware hypervisors then rely on the host’s graphics driver to ensure that other users of 3D graphics on the host are not impacted by the malicious VM. However, many graphics drivers may themselves get into to a denial-of-service condition caused by such infinite shaders, and as a result other VMs or processes running on the host might also be affected.

There is no patch for this issue, customers must review their risk and apply the workarounds if applicable. We have released workarounds documented in VMSA-2018-0025.

We would like to thank Piotr Bania of Cisco Talos for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Also, we wanted to make you aware that Intel has released a security bulletin entitled “INTEL-SA-00166 – Multiple potential security vulnerabilities in Intel Graphics Drivers may allow escalation of privilege or denial of service . Intel is releasing Intel Graphics Driver updates to mitigate these potential vulnerabilities”.

It documents the remediation of CVE-2018-12152, CVE-2018-12153 and CVE-2018-12154. These issues have been shown to affect VMware Workstation running on Windows. Therefore, we wanted to make sure you are informed of these issues so that they can be appropriately mitigated by the updates that Intel has provided in INTEL-SA-00166.

Customers should review the available documentation and direct technical inquiries to VMware Support for further assistance.

VMware Security Advisory: VMSA-2018-0024

Today VMware has released the following new and updated security advisories:

VMSA-2018-0024 – https://www.vmware.com/security/advisories/VMSA-2018-0024.html

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0023

Today VMware has released the following new security advisory:

VMSA-2018-0023AirWatch Agent and VMware Content Locker updates resolve data protection vulnerabilities.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0022 and Updated Security Advisory VMSA-2018-0019.1

Today, VMware has released the following new and updated security advisories:

VMSA-2018-0022 VMware Workstation and Fusion updates address an out-of-bounds write issue
VMSA-2018-0019.1Horizon 6, 7, Horizon Agent, and Horizon Client for Windows updates address an out-of-bounds read vulnerability

VMSA-2018-0022 documents the remediation of a critical severity out-of-bounds read vulnerability (CVE-2018-6973) in VMware Workstation and Fusion. Successfully exploiting this issue may allow allow a guest to execute code on the host. This issue has been addressed in VMware Workstation 14.1.3 and Fusion 10.1.3.

VMSA-2018-0019.1 was updated to clarify about affected products.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware Security Advisory VMSA-2018-0020 and VMSA-2018-0021 – L1 Terminal Fault (L1TF): CVE-2018-3646, CVE-2018-3620, and CVE-2018-3615

Greetings from the VMware Security Response Center!

Today we have published security advisories, knowledge base articles, updates, patches, and tools in response to new Speculative-Execution vulnerabilities in Intel processors known collectively as ‘L1 Terminal Fault’ or ‘L1TF.’

These vulnerabilities are identified by CVE-2018-3646, CVE-2018-3620, and CVE-2018-3615.

There is a lot of documentation on this event, so I wanted to summarize the core points in a short message.

The important stuff:

KB article 55636 should be considered the centralized source of truth for this event. Make sure you click ‘Subscribe to Article’ in the Actions box of this article to be alerted when any publication on L1TF is updated. That article links off to detailed responses for the individual issues.

CVE-2018-3646 is the most severe of the L1TF issues and affects hypervisors using Intel processors. It has 2 known attack vectors which both need to be mitigated. The first attack vector is mitigated through a vSphere update process including vCenter and ESXi. The second attack vector is mitigated by enabling a new advanced configuration option hyperthreadingMitigation included in the updates. This advanced configuration option may have a performance impact so we have not enabled it by default. This will limit your operational risk by giving you time to analyze your environment’s capacity prior to enabling the mitigation.

CVE-2018-3620 is a local privilege escalation which requires base operating system (SLES/Photon) updates for mitigation. Patches are pending for affected appliances, but most have workarounds documented. Make sure you contact your 3rd party operating system vendor(s) for mitigation instructions as well.

CVE-2018-3615 does not affect VMware products.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0019 and Updated Security Advisory VMSA-2015-0007.7

Today, VMware has released the following new and updated security advisories:

VMSA-2018-0019Horizon 6, 7, and Horizon Client for Windows updates address an out-of-bounds read vulnerability
VMSA-2015-0007.7 VMware vCenter and ESXi updates address critical security issues

VMSA-2018-0019 documents the remediation of an important severity out-of-bounds read vulnerability (CVE-2018-6970) in Horizon 6, 7, and Horizon Client for Windows. Successfully exploiting this issue may allow a less-privileged user to leak information from a privileged process running on a system where Horizon Connection Server, Horizon Agent or Horizon Client are installed. This issue doesn’t apply to Horizon 6, 7 Agents installed on Linux systems or Horizon Clients installed on non-Windows systems.

VMSA-2015-0007.7 was issued to add the patches for ESXi 6.0, 6.5 and 6.7 that address CVE-2015-5177. Recently, we found that this issue affects ESXi 6.0, 6.5 and 6.7.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware Security Advisory: VMSA-2018-0018

Today VMware has released the following new and updated security advisories:

VMSA-2018-0018

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0017

Today, VMware has released the following new security advisory:

VMSA-2018-0017VMware Tools update addresses an out-of-bounds read vulnerability

This documents the remediation of an important severity out-of-bounds read vulnerability (CVE-2018-6969) in VMware Tools. Successful exploitation of this issue may lead to information disclosure or may allow attackers to escalate their privileges on the guest VMs. File sharing must be enabled to be able to exploit this issue.

VMware Tools 10.x and prior versions are affected. This issue has been addressed in VMware Tools 10.3.0.

We would like to thank Anurudh for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0016 and updated advisories VMSA-2018-0011.1, VMSA-2018-0012.1

Today VMware has released the following new and updated security advisories:

VMSA-2018-0016 – VMware ESXi, and Workstation updates address multiple out-of-bounds read vulnerabilities.
VMSA-2018-0012.1 – VMware vSphere, Workstation and Fusion updates enable Hypervisor-Assisted Guest Mitigations for Speculative Store
VMSA-2018-0011.1 – Unauthenticated Command Injection vulnerability in VMware NSX SD-WAN by VeloCloud

VMSA-2018-0016 documents out-of-bound read issues in the shader translator of ESXi, Workstation and Fusion. These issues have severity important since they may lead to denial of service of the VM or to information disclosure.
VMware would like to thank RanchoIce of Tencent ZhanluLab (CVE-2018-6965, CVE-2018-6966, CVE-2018-6967) and a member of Cisco Talos (CVE-2018-6965) for independently reporting these issues to us.

VMSA-2018-0012.1 notes:

  • Hypervisor-Assisted Guest Mitigations for the Speculative-Store-Bypass issue (CVE-2018-3639) are now available since Intel has provided the required microcodes. The ESXi Knowledge Base articles found in the advisory list which microcodes are available from the ESXi patches.
  • The vCenter Server updates and ESXi patches in combination with the Intel microcode will make the Speculative-Store-Bypass-Disable (SSBD) control bit available to guest operating systems.
  • OS vendor patches that take advantage of SSBD will need to be deployed as well. OS Vendors typically do not enable SSBD by default. Consult your OS Vendor patch documentation for this.
  • The full steps needed to apply the Hypervisor-Assisted Guest Mitigations for CVE-2018-3639 are explained in VMware Knowledge Base article 55111 while VMware Knowledge Base article 54951 provides more background.
  • The initial release of VMSA-2018-0012 was discussed in an earlier blog post.

VMSA-2018-0011.1 was issued to correct the affected version.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.