Greetings from the VMware Security Response Center!

It has come to our attention that a previously resolved vulnerability identified by CVE-2018-6961 which affected VMware SD-WAN Edge (Velocloud) prior to R312-20180716-GA has been reported to be included as one of multiple injection methods for a newly discovered variant of the Mirai malware. Unit 42 has a good write up on what they have discovered here: https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices.

VMware is actively conducting our own investigation into the matter.

The good news is that CVE-2018-6961 was responsibly disclosed by VMware with both a fix and workaround last year in 2018. You can find our published advisory including remediation information for CVE-2018-6961 here: https://www.vmware.com/security/advisories/VMSA-2018-0011.html as well as workaround documentation here: https://kb.vmware.com/s/article/55009.

Customers are strongly advised to remediate or mitigate this vulnerability on their VMware SD-WAN Edge devices immediately. Please watch this space for future updates.

Edit: Added build-specific version in which CVE-2018-6961 was remediated.

Today, VMware has released the following new security advisory:

“VMSA-2019-0009 – VMware Tools and Workstation updates address out of bounds read and use-after-free vulnerabilities (CVE-2019-5522, CVE-2019-5525)”

This documents the remediation of two important severity issues in VMware Tools and VMware Workstation respectively.

Issue (a) CVE-2019-5522 an out of bounds read vulnerability in vm3dmp driver which is installed with vmtools in Windows guest machines. A local attacker with non-administrative access to a Windows guest with VMware Tools installed may be able to leak kernel information or create a denial of service attack on the same Windows guest machine. This issue has been addressed in VMware Tools 10.3.10.

Issue (b) CVE-2019-5525 is a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) backend and affects VMware Workstation. A malicious user with normal user privileges on the guest machine may exploit this issue to execute code on the host. This issue has been addressed in VMware Workstation 15.1.0.

We would like to thank ChenNan and RanchoIce of Tencent ZhanluLab and Brice L’helgouarc’h of Amossys for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Today, VMware has released the following new security advisory:

VMSA-2019-0006 – VMware ESXi, Workstation and Fusion updates address multiple out-of-bounds read vulnerabilities

This advisory documents Important Severity issues.

Issue (a) VMware ESXi, Workstation and Fusion updates address an out-of-bounds vulnerability (CVE-2019-5516) with the vertex shader functionality. Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of this issue may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM.  The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

VMware would like to thank Piotr Bania of Cisco Talos for reporting this issue to us.

Issue (b) VMware ESXi, Workstation and Fusion contain multiple out-of-bounds read vulnerabilities  (CVE-2019-5517) in the shader translator. Exploitation of these issues requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of these issues may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM. The workaround for these issues involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

VMware would like to thank RanchoIce of Tencent Security ZhanluLab for reporting these issues to us.

Issue (c) VMware ESXi, Workstation and Fusion contain an out-of-bounds read vulnerability (CVE-2019-5520). Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of this issue may lead to information disclosure.

VMware would like to thank instructor working with Trend Micro’s Zero Day Initiative for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Today, VMware has released the following new security advisories:

VMSA-2019-0004: VMware vCloud Director for Service Providers update resolves a Remote Session Hijack vulnerability

This advisory documents a Critical severity Remote Session Hijack vulnerability (CVE-2019-5523) in the Tenant and Provider Portals. Successful exploitation of this issue may allow a malicious actor to access the Tenant or Provider Portals by impersonating a currently logged in session.

We would like to thank Tyler Flaagan, Eric Holm, Andrew Kramer, and Logan Stratton of Dakota State University for reporting this issue to us.

VMSA-2019-0005 – VMware ESXi, Workstation and Fusion updates address multiple security issues

This advisory documents Critical and Important Severity issues.

Critical issue (a) VMware ESXi, Workstation and Fusion contain an out-of-bounds read/write vulnerability (CVE-2019-5518) and a Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface) (CVE-2019-5519). Exploitation of these issues requires an attacker to have access to a virtual machine with a virtual USB controller present. These issues may allow a guest to execute code on the host.

Critical issue (b) VMware Workstation and Fusion contain an out-of-bounds write vulnerability in the e1000 virtual network adapter (CVE-2019-5524). This issue may allow a guest to execute code on the host.

Important issue (c) VMware Workstation and Fusion updates address an out-of-bounds write vulnerability in the e1000 and e1000e virtual network adapters (CVE-2019-5515). Exploitation of this issue may lead to code execution on the host from the guest but it is more likely to result in a denial of service of the guest.

Critical Issue (d) VMware Fusion contains a security vulnerability due to certain unauthenticated APIs accessible through a web socket (CVE-2019-5514). An attacker may exploit this issue by tricking the host user to execute a JavaScript to perform unauthorized functions on the guest machine where VMware Tools is installed. This may further be exploited to execute commands on the guest machines.

We would like to thank Fluoroacetate team of Amat Cama and Richard Zhu, working with the Pwn2Own 2019 Security Contest, researcher Zhangyanyu of Chaitin Tech, ZhanluLab working with Trend Micro’s Zero Day Initiative, CodeColorist (@CodeColorist) and Csaba Fitzl (@theevilbit) for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Update March 28th 2019 – Release of VMware Security Advisory VMSA-2019-0005
Today VMware has released the following new security advisory:

VMSA-2019-0005 – VMware ESXi, Workstation and Fusion updates address multiple security issues

The advisory documents the remediation of the critical severity vulnerabilities which were demonstrated at Pwn2Own Vancouver 2019. These issues affect VMware ESXi, VMware Workstation and VMware Fusion, and may allow a guest to execute code on the host.

Customers should review the security advisory and direct any questions to VMware Support.

Update March 21st 2019
The Pwn2Own competition has finished for VMware. On Day 2 of Pwn2Own the Fluoroacetate team of Amat Cama and Richard Zhu again showed they could execute code on the VMware Workstation host from the guest. This issue differs from the issue which was demonstrated on Day 1. Having received the details we are currently investigating and are actively working on its remediation. We plan on publishing a VMware Security Advisory to provide information on updates for affected products.

Update March 20th 2019
On Day 1 of Pwn2Own the Fluoroacetate team of Amat Cama and Richard Zhu showed they could execute code on the VMware Workstation host from the guest. We are currently investigating the issue after having received the details. We are actively working on its remediation and we plan on publishing a VMware Security Advisory to provide information on updates for affected products.

We would like to thank the Pwn2Own organisers and the Fluoroacetate team for working with us to address the issue.

Original Post
We wanted to post a quick acknowledgement that VMware will have representatives in attendance at Pwn2Own Vancouver 2019 to review any vulnerabilities that may be demonstrated during the security contest. Stay tuned for further updates.

As always please sign up for our VMware Security Advisories here for new and updated information.

VMware has released the following new security advisories:

VMSA-2019-0002 – VMware Workstation update addresses elevation of privilege issues.

This documents important severity elevation of privilege issues.

Issue (a) (CVE-2019-5511). Workstation does not handle paths appropriately. Successful exploitation of this issue may allow the path to the VMX executable, on a Windows host, to be hijacked by a non-administrator leading to elevation of privilege.

Issue (b) (CVE-2019-5512). COM classes are not handled appropriately. Successful exploitation of this issue may allow hijacking of COM classes used by the VMX process, on a Windows host, leading to elevation of privilege.

These issues have been addressed in Workstation 15.0.3 and 14.1.6

VMware would like to thank James Forshaw of Google Project Zero for reporting these issues to us.

VMSA-2019-0003 – VMware Horizon update addresses Connection Server information  disclosure vulnerability.

(CVE-2019-5513). The VMware Horizon Connection Server contains a moderate severity information  disclosure vulnerability. Successful exploitation of this issue  may allow disclosure of internal domain names, the Connection Server’s internal name, or the gateway’s internal IP address.

VMware would like to thank Cory Mathews of Critical Start and HD Moore of Atredis Partners for independently reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Today VMware has released the following new and updated security advisories:

VMSA-2019-0001 – https://www.vmware.com/security/advisories/VMSA-2019-0001.html

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Today, VMware has released the following new security advisory:

“VMSA-2018-0031 – vRealize Operations updates address a local privilege escalation vulnerability”

This documents the remediation of an important severity local privilege escalation vulnerability (CVE-2018-6978) in vRealize Operations (vROps). The issue exists due to improper permissions of support scripts. Admin** user of the vROps application with shell access may exploit this issue to elevate the privileges to root on a vROps machine.

**The admin user (non-sudoer) should not be confused with root of the vROps machine.

We would like to thank Alessandro Zanni, pentester at OVH for reporting this issue to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Greetings from the VMware Security Response Center!

Yesterday Kubernetes disclosed CVE-2018-1002105 – a critical severity vulnerability in the Kubernetes API server. For more details on the vulnerability please see Kubernetes’ announcement here:

https://discuss.kubernetes.io/t/kubernetes-security-announcement-v1-10-11-v1-11-5-v1-12-3-released-to-address-cve-2018-1002105/3700

This vulnerability affects the following VMware products:

-VMware Pivotal Container Service (PKS)
-VMware vCloud Director Container Service Extension (CSE)
-Photon OS

There will be no VMware Security Advisory since remediation for these products has already been documented in a separate advisory or the offering’s github page.

Remediation Information:

PKS – Fixed in 1.2.3
Documentation: https://docs.pivotal.io/runtimes/pks/1-2/release-notes.html
Advisory: https://pivotal.io/security/cve-2018-1002105

CSE – Fixed in 1.2.5
Documentation: https://vmware.github.io/container-service-extension/RELEASE_NOTES.html

Photon OS – Fixed in 1.10.11-1 and 1.11.5-1
Advisory: https://github.com/vmware/photon/wiki/Security-Updates-2-112

For our service offerings that use Kubernetes, mitigations are already in place which have closed down the critical severity attack vector associated with CVE-2018-1002105 while full remediation is in progress.

On November 20th 2018 VMware released the following new security advisory:

VMSA-2018-0029 – vSphere Data Protection (VDP) updates address multiple security issues.

This documents several critical, important and moderate severity issues affecting VDP. VDP is based on Dell EMC Avamar Virtual Edition.

Issue (a) is a critical severity remote code execution vulnerability (CVE-2018-11066). A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary commands on the server.

Issue (b) is an important severity open redirection vulnerability (CVE-2018-11067). A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites.

Issue (c) is an important severity information exposure vulnerability (CVE-2018-11076). VDP Java management console’s SSL/TLS private key may be leaked in the VDP Java management client package. The private key could potentially be used by an unauthenticated attacker on the same data-link layer to initiate a MITM attack on management console users.

Issue (d) is a moderate severity command injection vulnerability (CVE-2018-11077). The ‘getlogs’ troubleshooting utility in VDP contains an OS command injection vulnerability. A malicious admin user may potentially be able to execute arbitrary commands under root privilege.

These issues have been addressed in VDP 6.1.10, 6.1.9 and 6.0.9.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.