VMware Patches Code Execution Flaw in Virtual Graphics Card
18.10.2018 securityweek

VMware has patched a critical arbitrary code execution vulnerability in the SVGA virtual graphics card used by its Workstation, ESXi and Fusion products.

According to an advisory published by the company on Tuesday, ESXi, Fusion and Workstation are affected by an out-of-bounds read vulnerability in the SVGA device. The flaw, tracked as CVE-2018-6974, can be exploited by a malicious guest to execute arbitrary code on the host.

The vulnerability was reported to VMware by an anonymous researcher through Trend Micro’s Zero Day Initiative (ZDI).

ZDI’s own advisory describes the security hole as a heap-based buffer overflow that allows a local attacker with low privileges on the system to escalate permissions and execute arbitrary code. ZDI revealed that the flaw was reported to VMware in mid-June.

“The specific flaw exists within the handling of virtualized SVGA,” ZDI said. “The issue results from the lack of proper validation of user-supplied data, which can result in an overflow of a heap-based buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the host OS.”

The same anonymous researcher likely also reported CVE-2018-6973, an out-of-bounds write vulnerability in the e1000 virtual network adapter used by Workstation and Fusion. This flaw also allows arbitrary code execution on the host and it was reported to VMware through ZDI on the same day as CVE-2018-6974. However, VMware resolved this vulnerability with patches released in mid-August.

Exploiting this security hole also requires at least low-privileged access to the targeted system.

While VMware has classified both vulnerabilities as “critical,” ZDI has assigned them a CVSS score of 6.9, which makes them “medium” severity.

Earlier this month, VMware also patched an “important” denial-of-service (DoS) bug discovered by Cisco Talos researchers in Workstation, ESXi and Fusion, and a serious SAML authentication bypass vulnerability in the Workspace ONE Unified Endpoint Management Console.