VMware has fixed several vulnerabilities in its ESXi, Workstation, Fusion and NSX-T products, including a critical flaw that allows arbitrary code execution.
The critical vulnerability, tracked as CVE-2020-3992, is a use-after-free issue that affects the OpenSLP service in ESXi. The vulnerability can allow remote attackers to execute arbitrary code on affected installations of the ESXi product.
The attacker can exploit the flaw needs to be on the management network and have access to port 427 on an ESXi machine in order to exploit the vulnerability.
“OpenSLP as used in ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the advisory published by VMware.
“A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.”
The vulnerability was reported to VMware on July 22 by Lucas Leong (@_wmliang_) from Trend Micro’s Zero Day Initiative.
The virtualization giant addressed the vulnerability in ESXi and VMware Cloud Foundation.
The company also patched a high-severity flaw in NSX-T, tracked as CVE-2020-3993, which is caused by the way a KVM host is allowed to download and install packages from the NSX manager. The flaw could be exploited by a MitM attacker to compromise transport nodes.
“VMware NSX-T contains a security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX manager. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.” reads the advisory.
“A malicious actor with MITM positioning may be able to exploit this issue to compromise the transport node.”
The researchers Reno Robert discovered an out-of-bounds read vulnerability in VMware ESXi, Workstation and Fusion. The issue is due to a time-of-check time-of-use issue in ACPI device.
An attacker with administrative access to a virtual machine may be able to exploit this flaw to leak memory from the vmx process.
VMware also addressed a vulnerability, tracked as CVE-2020-3994, in the vCenter Server session hijack vulnerability in the update function.
“A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.” reads the advisory.
The vulnerability was repored by Thorsten Tüllmann of the Karlsruhe Institute of Technology.
(SecurityAffairs – hacking, VMware)