VMware released security patches for a critical virtual machine (VM) escape vulnerability that was recently discovered at a Chinese hacking contest.
VMware has released security patches for a critical virtual machine (VM) escape vulnerability (CVE-2018-6981 and CVE-2018-6982) that was recently discovered by the researcher Zhangyanyu at the Chinese GeekPwn2018 hacking contest.
The cause for the bugs is an uninitialized stack memory usage bug in the vmxnet3 virtual network adapter. The flaws could be exploited only if the vmxnet3 adapter is enabled.
“VMware ESXi, Fusion and Workstation contain uninitialized stack memory usage in the vmxnet3 virtual network adapter. This issue may allow a guest to execute code on the host. The issue is present if vmxnet3 is enabled. Non vmxnet3 virtual adapters are not affected by this issue.” reads the advisory published by VMware.
The CVE-2018-6981 can be exploited by a guest to execute arbitrary code on the host and affects ESXi, Fusion and Workstation products. The CVE-2018-6982 flaw can result in an information leak from the host to the guest, it only affects ESXi.
GeekPwn is a popular hacking competition held in China since 2014 that is organized by the security team of the Chinese firm Keen Cloud Tech. Starting from 2017 the competition is also held in the United States.
The latest contest, GeekPwn2018, was held in Shanghai on October 24-25, the organizers offered an overall prize pool of $800,000. This year a researcher at China-based security firm Chaitin Tech discovered a guest-to-host escape vulnerability affecting several VMware products along with other minor issued.
The flaw is very important because for the first time an expert managed to escape VMware ESXi and get a root shell on the host system.
#GeekPwn2018 Chaitin Tech security researcher f1yyy has escaped VMware EXSi and got root shell on the host for the first time in the world. After demonstrating it at GeekPwn 2018, f1yyy received the Best of Tech Award and was selected to the GeekPwn Hall of Fame.@GeekPwnpic.twitter.com/2Y2kYKaw4d
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.