Update March 28 – Release of VMware Security Advisory VMSA-2017-0006
Today VMware released VMSA-2017-0006, which documents the remediation of the critical and moderate issues reported out of the Pwn2Own competition. These issues affect ESXi, VMware Workstation, and VMware Fusion, and may allow a guest to execute code on the host.
VMware recommends that customers expedite updating but that emergency measures like taking environments offline are not called for.
We’ve also published a new blogpost The Security Landscape: Pwn2Own 2017.
The Pwn2Own competition organized by Trend Micro’s ZDI has just wrapped up at Vancouver. VMware Workstation was a target at this competition.
In total, two teams managed to show that they could execute code on the VMware Workstation host from the guest. We are currently investigating these issues after having received the details from the teams directly. The issues were demonstrated on Workstation and we are investigating impact of them on ESXi and Fusion.
We would like to thank ZDI, Team 360 Security from Qihoo, and Team Sniper from Tencent Security for working with us to address the issues.