14 DAY TRIAL // VMware released multiple security updates that patch a critical integer overflow issue in the VMware Workstation and VMware Fusion software products.
The products impacted by this integer overflow security issue are the VMWare Workstation, VMware Workstation Player, VMware Workstation Pro, VMware Fusion, and VMware Fusion Pro.
With the help of VMware Fusion, macOS users can "run Windows and other x86 based operating systems on a Mac without rebooting."
VMware Workstation makes it possible to "develop, test, demonstrate, and deploy software by running multiple x86-based Windows, Linux, and other operating systems simultaneously on the same PC."
As detailed in VMware's VMSA-2018-0030 advisory, "VMware Workstation and Fusion contain an integer overflow vulnerability in the virtual network devices. This issue may allow a guest to execute code on the host."
The integer overflow issue could enable attackers to take control of the host computer
This integer overflow security bug was assigned the CVE-2018-6983 identifier by the Common Vulnerabilities and Exposures project and, given that it would allow potential attackers to run code on the host, it would also allow them to control the host’s operating system.
According to VMware, the issue was discovered and reported Tianwen Tang of Qihoo 360Vulcan Team on November 16, during the Tianfu Cup 2018 International Pwn Contest.
The vulnerability reported by Tang brought him a $100,000 award for successfully penetrating through and escaping from the VM guest system.
There is no known mitigation for the CVE-2018-6983 issue at the moment, but VMware provides updates for all affected products.
VMware Workstation users are required to update their installation to the 14.1.2/15.0.2 releases, and VMware Fusion owners should install the 10.1.5/11.0.2 versions.