VMware Patches Critical Vulnerabilities

By

Five vulnerabilities affect various VMware products.

VMware has patched five critical vulnerabilities in its products. The affected products/families include vSphere ESX-i, VMware Workstation Pro/Player, and VMware Fusion Pro/Fusion.

A team of hackers called Fluoroacetate demonstrated exploitation of two flaws at the CanSecWest cybersecurity conference, which took place in Canada.

These two flaws exploited out-of-bounds read/write vulnerability and a time-of-check/time-of-use (TOCTOU) vulnerability in the virtual universal host controller interface used by ESXi, Workstation, and Fusion.

“An attacker must have access to a virtual machine with a virtual USB controller present, the advisory said, adding that it could allow a guest VM to execute code on the host system,” said VMware in a security advisory. The good news is that an attacker needs access to a virtual machine with a virtual USB controller present to execute code on the host system.

Two other issues allow code execution on the host from a guest. The fifth vulnerability, which affects the Fusion product, allows an unauthenticated application programming interface (API) access to an application menu through a web socket.

If you use any of these VMware products, please update them now.

04/08/2019

Related content

  • Critical Vulnerability Found in Oracle Identity Manager
    more »
  • Photo by Afif Ramdhasuma on Unsplash
    ESXi ransomware attacks
    Files encrypted by ransomware have been the nightmare scenario of IT departments, and even specialized operating systems like the ESXi server are not immune. We look at how to mitigate risk and prepare for recovery if hypervisor protection fails.
    more »
  • VMware Tools

    VMware’s recent announcement about vCloud Hybrid Service involves expansion of the vCloud suite toward a public/hybrid cloud. In this article, we attempt to shed some light on the huge number of VMware products.

    more »
  • Lead Image © Giuseppe Ramos, 123RF.com
    An overview of VMware tools
    VMware's recent announcement about vCloud Hybrid Service involves expansion of the vCloud suite toward a public/hybrid cloud. In this article, we attempt to shed some light on the huge number of VMware products.
    more »
  • News for Admins
    Attacks on AI Bluetooth and Intel processors, vulnerability in Oracle Identity Manager, and containerizing OpenStack.
    more »
comments powered by Disqus