Does your company make use of VMware products? If so, be advised that a pair of researchers from Synacktiv recently reported a series of critical security flaws in VMware’s ESXi, Workstation and Fusion products.
The recent discovery prompted the company to issue an emergency security patch to address those issues.
The most serious of the bunch, which earned a 9.3 CVSSv3 severity score, is being tracked as CVE-2020-3962. It is a flaw in the SVGA device that could allow an attacker with local access to the machine to execute arbitrary code on the hypervisor from a virtual machine.
In addition to that, the latest patch also addresses the following security vulnerabilities:
- CVE-2020-3963
- CVE-2020-3964
- CVE-2020-3965
- CVE-2020-3966
- CVE-2020-3967
- CVE-2020-3968
- CVE-2020-3969
- CVE-2020-3970
- CVE-2020-3971
These issues range in severity from 4.0 to 8.1 and all are related to different ways that a local attacker with access to a virtual machine could execute arbitrary code, trigger a DoS condition, or read privileged information on the compromised devices.
To block attacks exploiting all of the vulnerabilities listed above, VMware recommends immediately upgrading to version 15.5.5 (VMware Fusion (Pro), while VMware ESXI customers should upgrade to ESXi_7.0.0-1.20.16321839, ESXi670-202004101-SG, or ESXi650-202005401-SG.
Kudos to Synacktiv researchers Bruno Pujos and Corentin Bayet for their diligent research, and to the management team at VMware for making the patches addressing these issues available with all speed.
This, of course, will not be the last time researchers uncover serious security flaws in software. However, this example is a textbook case of deft handling by the companies involved.
If you use VMware products, be sure to check to see what version you’re running, and if need be, upgrade to the latest right away. Since all of the potential attacks here require local access to exploit, the risk is low, but there’s no advantage to having any unnecessary exposure.