VMware has released security patches for a critical virtual machine (VM) escape vulnerability (CVE-2018-6981 and CVE-2018-6982) that was recently discovered by the researcher Zhangyanyu at the Chinese GeekPwn2018 hacking contest.
The cause for the bugs is an uninitialized stack memory usage bug in the vmxnet3 virtual network adapter. The flaws could be exploited only if the vmxnet3 adapter is enabled.
“VMware ESXi, Fusion and Workstation contain uninitialized stack memory usage in the vmxnet3 virtual network adapter. This issue may allow a guest to execute code on the host. The issue is present if vmxnet3 is enabled. Non vmxnet3 virtual adapters are not affected by this issue.” reads the advisory published by VMware.
The CVE-2018-6981 can be exploited by a guest to execute arbitrary code on the host and affects ESXi, Fusion and Workstation products. The CVE-2018-6982 flaw can result in an information leak from the host to the guest, it only affects ESXi.
GeekPwn is a popular hacking competition held in China since 2014 that is organized by the security team of the Chinese firm Keen Cloud Tech. Starting from 2017 the competition is also held in the United States.
The latest contest, GeekPwn2018, was held in Shanghai on October 24-25, the organizers offered an overall prize pool of $800,000. This year a researcher at China-based security firm Chaitin Tech discovered a guest-to-host escape vulnerability affecting several VMware products along with other minor issued.
The flaw is very important because for the first time an expert managed to escape VMware ESXi and get a root shell on the host system.
#GeekPwn2018 Chaitin Tech security researcher f1yyy has escaped VMware EXSi and got root shell on the host for the first time in the world. After demonstrating it at GeekPwn 2018, f1yyy received the Best of Tech Award and was selected to the GeekPwn Hall of Fame.@GeekPwn pic.twitter.com/2Y2kYKaw4d
— Chaitin Tech (@ChaitinTech) October 31, 2018
The virtualization giant released patches and updates for both vulnerabilities.
(Security Affairs – virtual machine, VM escape vulnerability)