14 DAY TRIAL // VMware released updates for its ESXi, Workstation, and Fusion software to address a critical SVGA heap-based buffer overflow privilege escalation vulnerability which would allow a guest to execute code on the host machine.
"The specific flaw exists within the handling of virtualized SVGA. The issue results from the lack of proper validation of user-supplied data, which can result in an overflow of a heap-based buffer," says the anonymous ZDI-18-1242 advisory. "An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the host OS."
The security issue can be exploited by attackers to compromise machines running the following vulnerable versions of VMWare's vSphere ESXi (6.7 before ESXi670-201810101-SG, 6.5 before ESXi650-201808401-BG, and 6.0 before ESXi600-201808401-BG), Workstation (Pro / Player) (14.x before 14.1.3) and VMware Fusion (Fusion Pro) (10.x before 10.1.3) products.
Detailed patch information and release notes for all updated products are listed on VMware's VMSA-2018-0026 security advisory page, together with severity ratings for all affected products.
The out-of-bounds read vulnerability has been fixed by VMware in the latest releases of ESXi, Workstation, and Fusion
"The specific flaw exists within the handling of virtualized SVGA. The issue results from the lack of proper validation of user-supplied data, which can result in an overflow of a heap-based buffer," also says the ZDI advisory. "An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the host OS."
Moreover, the Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the CVE-2018-6974 identifier to this security issue.
Furthermore, this critical heap-based buffer overflow privilege escalation vulnerability in the SVGA device was reported to VMware on June 12, and it was publicly disclosed on October 16 after the vendor fixed it in all affected products.
On October 9, Cisco Talos' Piotr Bania also disclosed a denial-of-service vulnerability of important severity in the 3D-acceleration feature of VMware's vSphere ESXi, Workstation (Pro / Player), and VMware Fusion (Fusion Pro) software.
The CVE-2018-6977 vulnerability reported by Cisco Talos will trigger a denial-of-service in all versions of vulnerable products because of an infinite loop caused by a maliciously crafted 3D-rendering shader.