Author Archives: Monty Ijzerman

VMware and the GeekPwn2018 event – new VMware Security Advisory VMSA-2018-0027


Update November 9, 2018 – Release of VMware Security Advisory VMSA-2018-0027

Today, VMware has released the following new security advisory:

VMSA-2018-0027 VMware ESXi, Workstation, and Fusion updates address uninitialized stack memory usage

The advisory documents the remediation of the critical and important security vulnerabilities that were demonstrated in the GeekPwn2018 event. These issues affect ESXi, VMware Workstation, and VMware Fusion, and may allow a guest to execute code on the host.

Customers should review the security advisory and direct any questions to VMware Support.

Original post
VMware is aware of the security vulnerability that was demonstrated at the GeekPwn2018 event. We have been in contact with the organizers of GeekPwn2018 and they have provided us with the details of the issue. We are actively working on its remediation and we plan on publishing a VMware Security Advisory to provide information on updates for affected products.

Please sign up for VMware Security Advisories (here) to be notified when this advisory and future advisories are published.

We would like to thank the organizers of GeekPwn2018 and security researcher Zhangyanyu for working with us on responsible disclosure of this issue.

New VMware Security Advisory VMSA-2018-0026

Today, VMware has released the following new security advisory:

VMSA-2018-0026 – VMware ESXi, Workstation, and Fusion updates address an out-of-bounds read vulnerability

The advisory documents the remediation of a Critical severity out-of-bounds read vulnerability (CVE-2018-6974) in VMware ESXi, Workstation, and Fusion. The issue exists in SVGA device and may allow a guest to execute code on the host.

We would like to thank Anonymous working with Trend Micro’s Zero Day Initiative for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2018-0016 and updated advisories VMSA-2018-0011.1, VMSA-2018-0012.1

Today VMware has released the following new and updated security advisories:

VMSA-2018-0016 – VMware ESXi, and Workstation updates address multiple out-of-bounds read vulnerabilities.
VMSA-2018-0012.1 – VMware vSphere, Workstation and Fusion updates enable Hypervisor-Assisted Guest Mitigations for Speculative Store
VMSA-2018-0011.1 – Unauthenticated Command Injection vulnerability in VMware NSX SD-WAN by VeloCloud

VMSA-2018-0016 documents out-of-bound read issues in the shader translator of ESXi, Workstation and Fusion. These issues have severity important since they may lead to denial of service of the VM or to information disclosure.
VMware would like to thank RanchoIce of Tencent ZhanluLab (CVE-2018-6965, CVE-2018-6966, CVE-2018-6967) and a member of Cisco Talos (CVE-2018-6965) for independently reporting these issues to us.

VMSA-2018-0012.1 notes:

  • Hypervisor-Assisted Guest Mitigations for the Speculative-Store-Bypass issue (CVE-2018-3639) are now available since Intel has provided the required microcodes. The ESXi Knowledge Base articles found in the advisory list which microcodes are available from the ESXi patches.
  • The vCenter Server updates and ESXi patches in combination with the Intel microcode will make the Speculative-Store-Bypass-Disable (SSBD) control bit available to guest operating systems.
  • OS vendor patches that take advantage of SSBD will need to be deployed as well. OS Vendors typically do not enable SSBD by default. Consult your OS Vendor patch documentation for this.
  • The full steps needed to apply the Hypervisor-Assisted Guest Mitigations for CVE-2018-3639 are explained in VMware Knowledge Base article 55111 while VMware Knowledge Base article 54951 provides more background.
  • The initial release of VMSA-2018-0012 was discussed in an earlier blog post.

VMSA-2018-0011.1 was issued to correct the affected version.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

New VMware Security Advisory VMSA-2017-0017

Today VMware has released the following new security advisory:

VMSA-2017-0017 – VMware vCenter Server update resolves LDAP DoS, SSRF and CLRF injection issues

This documents the remediation of two moderate severity issues, CVE-2017-4927 and CVE-2017-4928. These issues affect VMware vCenter Server.

Issue (a) CVE-2017-4927: VMware vCenter Server doesn’t correctly handle specially crafted LDAP network packets which may allow for remote DoS. This issue affects vCenter Server 6.5 and 6.0. vCenter Server 6.5 U1 and 6.0 U3c fix this issue.

Issue (b) CVE-2017-4928: SSRF and CRLF injection issues in vSphere web client. This issue affects vCenter Server 6.0 and 5.5. vCenter Server 6.0 U3c and 5.5 U3f fix this issue.

We would like to thank Honggang Ren of Fortinet’s FortiGuard Labs and ricterzheng @ Tencent Yunding Lab for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Security Patches for VMware vCenter Server Appliance Photon OS

Our customers have indicated that they would like to see VMware more frequently update the Photon OS operating system that powers the vCenter Server Appliance (VCSA). To follow up on this request, we have now started a program that will provide monthly patches for the VCSA operating system.

The program will address important security issues that are present in the VCSA Photon OS operating system on a monthly basis. In some months (e.g. this month) the update will be through stand-alone patches while in other months they may be rolled into regular VCSA maintenance releases.

The release notes for the first monthly patch are found here, and today’s post on the VMware vSphere blog gives more details about the program.

Please send your feedback and questions to security (at) vmware (dot) com.

October 27 Update
Last night we released the second monthly patch for the VCSA PhotonOS operating system (6.5 U1b). This time the patch also contains a couple of fixes for functional issues, see the reference in the bottom table of the rolling release notes for this program.

VMware Security Response Center @ VMworld 2017

For  those visiting VMworld, come and meet VMware Trust and Assurance (which includes VMware Security Response Center) in Las Vegas next week or in Barcelona in three weeks from now. Bring your questions and concerns on security issues in our products and services, and how we address these. We would also like to have feedback on the VMware Security Advisories  and our patch policies.

How to find us? We  are accepting 1:1 meetings at VMworld. If  you would like to schedule a meeting please contact your Technical Account Manager with a general idea of what you would like to speak with us about and we will  schedule time with you. Alternatively just come and meet us; we are stationed in the Listening Post located in the VM Village. This is the lounge area with seats and games on the top floor.

We share the Listening Post with other teams and they would be delighted with your visit as well! They are Support, Customer advocacy, and the Information Experience, Quality Assurance, and Product Globalization teams of the VMware R&D Central Organization.

Update August 28
We are ready to roll tomorrow when VMworld opens! Come by the Listening Post in the VM Village and talk to us about your challenges and suggestions regarding the security of our products. Our co-workers will be there to discuss quality, support, documentation, and globalization.

New VMware Security Advisory VMSA-2017-0014

Today, VMware has released the following new security advisory:

VMSA-2017-0014 – VMware NSX-V Edge updates address OSPF Protocol LSA DoS

The advisory documents a hard to exploit denial of service vulnerability in the implementation of the OSPF protocol in NSX-V Edge (CVE-2017-4920). This issue is present due to incorrect handling of link-state advertisements (LSA). NSX-V Edge 6.2.8 and NSX-V Edge 6.3.3 address the issue.

We would like to thank Adi Sosnovich, Orna Grumberg and Gabi Nakibly for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

VMware Workstation target at Pwn2Own 2017

Update March 28 – Release of VMware Security Advisory VMSA-2017-0006
Today VMware released VMSA-2017-0006, which documents the remediation of the critical and moderate issues reported out of the Pwn2Own competition. These issues affect ESXi, VMware Workstation, and VMware Fusion, and may allow a guest to execute code on the host.
VMware recommends that customers expedite updating but that emergency measures like taking environments offline are not called for.
We’ve also published a new blogpost The Security Landscape: Pwn2Own 2017.

Original post
The Pwn2Own competition organized by Trend Micro’s ZDI has just wrapped up at Vancouver. VMware Workstation was a target at this competition.

In total, two teams managed to show that they could execute code on the VMware Workstation host from the guest. We are currently investigating these issues after having received the details from the teams directly. The issues were demonstrated on Workstation and we are investigating impact of them on ESXi and Fusion.

We would like to thank ZDI, Team 360 Security from Qihoo, and Team Sniper from Tencent Security for working with us to address the issues.

New VMware Security Advisory VMSA-2017-0003

Today VMware has released the following new security advisory:

VMSA-2017-0003 – VMware Workstation update addresses multiple security issues

The advisory documents an important severity DLL loading issue (CVE-2017-4898) and two moderate severity security issues (CVE-2017-4899  and CVE-2017-4900) in the SVGA driver of VMware Workstation Pro/Player. All versions of Workstation Pro/Player 12.x are affected.

Issue a is DLL hijacking issue that occurs due to the “vmware-vmx” process loading DLLs from a path defined in the local environment-variable and can be exploited to escalate privileges to System by normal users in the host machine where VMware Workstation is installed.
Issue b exists in the SVGA driver and can be triggered only when the host has no graphics card or no graphics drivers are installed. An attacker may exploit this issue to crash the VM or trigger an out-of-bound read.
Issue c is a NULL pointer dereference vulnerability in SVGA driver and may allow attackers with normal user privileges to crash their VMs.
Workstation Pro/Player 12.5.3 fixes all these issues.

VMware would like to thank Ivil, Marco Grassi (@marcograss) of KeenLab (@keen_lab) Tencent and Saar Amar (@AmarSaar) for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

New VMware Security Advisory VMSA-2016-0020 and Updated Advisories

Today VMware has released the following new and updated security advisories:
New

VMSA-2016-0020
Updated
VMSA-2016-0016.1
VMSA-2016-0018.1

The new advisory documents a deserialization vulnerability in the vRealize Operation REST API, CVE-2016-7462.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.