The flaws were addressed with the release of six patches for ESXi, version 12.5.8 of Workstation, version 8.5.9 of Fusion, and version 6.5 U1d of vCSA.
Some of the flaws could be exploited by an attacker for arbitrary code execution.
Security experts from Cisco Talos group discovered two of the code execution vulnerabilities that ranked as critical and assigned them a CVSS score of 9.0, while VMware classified them as having “important” severity. The flaws analyzed by the Talos group affects the VNC implementation in VMWare products used to allow remote access to the solutions.
“Today, Talos is disclosing a pair of vulnerabilities in the VNC implementation used in VMWare’s products that could result in code execution. VMWare implements VNC for its remote management, remote access, and automation purposes in VMWare products including Workstation, Player, and ESXi which share a common VMW VNC code base. The vulnerabilities manifest themselves in a way that would allow an attacker to initiate of VNC session causing the vulnerabilities to be triggered.” reads the security advisory published by CISCO.
The vulnerability CVE-2017-4941 resides in the remote management functionality of VMWare, it could be exploited by a remote attacker to execute code in a virtual machine via an authenticated virtual network computing (VNC) session.
“A specially crafted set of VNC packets can cause a type confusion resulting in stack overwrite, which could lead to code execution.” reads the advisory published by Cisco Talos.
The second issue discovered by Cisco Talos is a heap overflow bug tracked as CVE-2017-4933 that could be triggered by an attacker to execute arbitrary code in a virtual machine using specially crafted VNC packets.
“An exploitable code execution vulnerability exists in the remote management functionality of VMware . A specially crafted set of VNC packets can cause a heap overflow resulting in heap corruption. An attacker can create a VNC session to trigger this vulnerability.” states Cisco Talos in the security advisory.
VMware hasn’t classified the flaws as critical because it argued that their exploitation is possible in ESXi only if VNC is manually enabled in the VM’s configuration file and the application is set to allow VNC traffic through the built-in firewall.
VMware also patched a stored cross-site scripting (XSS) flaw tracked as CVE-2017-4940 and affecting the ESXi Host Client, the issued could be exploited to inject code that gets executed when users access the Host Client. The company credited the expert Alain Homewood from Insomnia Security for its discovery.
The fourth flaw addressed by VMWare is a privilege escalation affecting vCSA that is tracked as CVE-2017-4943. The vulnerability was discovered by Lukasz Plonka and resides in the showlog plugin, it could be exploited by an attacker with low privileges to obtain root level access to the appliance’s base operating system.
(Security Affairs – Code Execution flaws, VMWare)