Author Archives: Kieran Boyde

VMware and Pwn2Own Vancouver 2019

Update March 28th 2019 – Release of VMware Security Advisory VMSA-2019-0005
Today VMware has released the following new security advisory:

VMSA-2019-0005 – VMware ESXi, Workstation and Fusion updates address multiple security issues

The advisory documents the remediation of the critical severity vulnerabilities which were demonstrated at Pwn2Own Vancouver 2019. These issues affect VMware ESXi, VMware Workstation and VMware Fusion, and may allow a guest to execute code on the host.

Customers should review the security advisory and direct any questions to VMware Support.

Update March 21st 2019
The Pwn2Own competition has finished for VMware. On Day 2 of Pwn2Own the Fluoroacetate team of Amat Cama and Richard Zhu again showed they could execute code on the VMware Workstation host from the guest. This issue differs from the issue which was demonstrated on Day 1. Having received the details we are currently investigating and are actively working on its remediation. We plan on publishing a VMware Security Advisory to provide information on updates for affected products.

Update March 20th 2019
On Day 1 of Pwn2Own the Fluoroacetate team of Amat Cama and Richard Zhu showed they could execute code on the VMware Workstation host from the guest. We are currently investigating the issue after having received the details. We are actively working on its remediation and we plan on publishing a VMware Security Advisory to provide information on updates for affected products.

We would like to thank the Pwn2Own organisers and the Fluoroacetate team for working with us to address the issue.

Original Post
We wanted to post a quick acknowledgement that VMware will have representatives in attendance at Pwn2Own Vancouver 2019 to review any vulnerabilities that may be demonstrated during the security contest. Stay tuned for further updates.

As always please sign up for our VMware Security Advisories here for new and updated information.

New VMware Security Advisories VMSA-2019-0002 & VMSA-2019-0003

VMware has released the following new security advisories:

VMSA-2019-0002 – VMware Workstation update addresses elevation of privilege issues.

This documents important severity elevation of privilege issues.

Issue (a) (CVE-2019-5511). Workstation does not handle paths appropriately. Successful exploitation of this issue may allow the path to the VMX executable, on a Windows host, to be hijacked by a non-administrator leading to elevation of privilege.

Issue (b) (CVE-2019-5512). COM classes are not handled appropriately. Successful exploitation of this issue may allow hijacking of COM classes used by the VMX process, on a Windows host, leading to elevation of privilege.

These issues have been addressed in Workstation 15.0.3 and 14.1.6

VMware would like to thank James Forshaw of Google Project Zero for reporting these issues to us.

VMSA-2019-0003 – VMware Horizon update addresses Connection Server information  disclosure vulnerability.

(CVE-2019-5513). The VMware Horizon Connection Server contains a moderate severity information  disclosure vulnerability. Successful exploitation of this issue  may allow disclosure of internal domain names, the Connection Server’s internal name, or the gateway’s internal IP address.

VMware would like to thank Cory Mathews of Critical Start and HD Moore of Atredis Partners for independently reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0029

On November 20th 2018 VMware released the following new security advisory:

VMSA-2018-0029 – vSphere Data Protection (VDP) updates address multiple security issues.

This documents several critical, important and moderate severity issues affecting VDP. VDP is based on Dell EMC Avamar Virtual Edition.

Issue (a) is a critical severity remote code execution vulnerability (CVE-2018-11066). A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary commands on the server.

Issue (b) is an important severity open redirection vulnerability (CVE-2018-11067). A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites.

Issue (c) is an important severity information exposure vulnerability (CVE-2018-11076). VDP Java management console’s SSL/TLS private key may be leaked in the VDP Java management client package. The private key could potentially be used by an unauthenticated attacker on the same data-link layer to initiate a MITM attack on management console users.

Issue (d) is a moderate severity command injection vulnerability (CVE-2018-11077). The ‘getlogs’ troubleshooting utility in VDP contains an OS command injection vulnerability. A malicious admin user may potentially be able to execute arbitrary commands under root privilege.

These issues have been addressed in VDP 6.1.10, 6.1.9 and 6.0.9.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

VMware and the Tianfu Cup PWN Contest

Update November 22, 2018 – Release of VMware Security Advisory VMSA-2018-0030
Today VMware has released the following new security advisory:

VMSA-2018-0030 – VMware Workstation and Fusion updates address an integer overflow issue.

The advisory documents the remediation of the critical severity vulnerability which was demonstrated at the Tianfu Cup PWN Contest.
This issue affects VMware Workstation and VMware Fusion, and may allow a guest to execute code on the host.

Customers should review the security advisory and direct any questions to VMware Support.

Update November 17, 2018
The Tianfu Cup PWN Contest has wrapped up after Day 2. No additional teams targeted VMware Workstation on Day 2.

We are actively working on remediation, of the issue reported on Day 1, for VMware Workstation and Fusion.
VMware vSphere ESXi is unaffected.
We plan on publishing a VMware Security Advisory to provide information on updates for affected products.
As always please sign up for our VMware Security Advisories here for new and updated information.

Update November 16, 2018
Day 1 of the Tianfu Cup PWN Contest has finished in Chengdu. VMware Workstation is a target at this competition.

One researcher has shown that he could execute code on the VMware Workstation host from the guest. We are currently investigating the issue after having received the details. We are actively working on its remediation and we plan on publishing a VMware Security Advisory to provide information on updates for affected products.

We would like to thank the Tianfu Cup organisers and VictorV for working with us to address the issue.

Original Post
We wanted to post a quick acknowledgement that VMware has representatives in attendance at the Tianfu Cup PWN Contest in Chengdu, China to review any vulnerabilities that may be demonstrated during the contest.

We would like to thank the organisers for inviting us to attend. Stay tuned for further updates.

As always please sign up for our VMware Security Advisories here for new and updated information.

New VMware Security Advisory VMSA-2018-0009

Today VMware has released the following new security advisory:

VMSA-2018-0009  – vRealize Automation (vRA) updates address multiple security issues

This documents the remediation of Important and Moderate severity issues (CVE-2018-6958  and CVE-2018-6959).

Issue (a)  CVE-2018-6958 is a DOM-based cross-site scripting (XSS) vulnerability. Exploitation of this issue may lead to the compromise of the vRA user’s workstation.

Issue (b) CVE-2018-6959 is a vulnerability in the handling of session IDs. Exploitation of this issue may lead to the hijacking of a valid vRA user’s session.

vRealize Automation 7.3.1 and 7.4.0 provide remediations for these vulnerabilities.

VMware would like to thank Oliver Matula and Benjamin Schwendemann of ERNW Enno Rey Netzwerke GmbH for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.