14 DAY TRIAL // VMware released updates for its ESXi, Workstation, and Fusion software products to fix a critical security issue which would allow a potential attacker to execute code on the host by escaping the guest OS using an uninitialized stack memory usage bug in the vmxnet3 virtual network adapter.
Virtual machine guest-to-host escape vulnerabilities allow attackers to run code on the guest operating system which breaks out and makes it possible to interact with the hypervisor.
Successfully exploiting a guest-to-host security issue can enable threat actors to gain control of both all other guests (virtual machines) and the hypervisor, while also potentially giving the attacker complete control of the hypervisor.
According to VMware's security announcement, the products affected are VMWare vSphere ESXi (ESXi), VMware Workstation Pro / Player (Workstation), and VMware Fusion Pro, Fusion (Fusion).
"VMware ESXi, Fusion and Workstation contain uninitialized stack memory usage in the vmxnet3 virtual network adapter. This issue may allow a guest to execute code on the host," says VMware's VMSA-2018-0027 advisory.
The guest-to-host escape issue affects all VMs running on ESXi, Workstation, and Fusion with vmxnet3 enabled
It's also important to mention that according to VMware "The issue is present if vmxnet3 is enabled. Non vmxnet3 virtual adapters are not affected by this issue."
The CVE-2018-6981 security issue was initially reported by GeekPwn2018's organizers and Chaitin Tech's security researcher Zhangyanyu.
There are no mitigations for this uninitialized stack memory usage affecting all virtual machines with the vmxnet3 virtual network adapter enabled and running on VMware's ESXi, Workstation, and Fusion VM host software.
To avoid attackers compromising the host OS where the virtual machines are running on, users should update ESXi to the 6.0, 6.5, or 6.7 version, VMware Workstation to 14.1.4 or 15.0.1, and VMware Fusion to either 10.1.4 or 11.0.1.
Two days ago, exploit developer and vulnerability researcher Sergey Zelenyuk released of a VirtualBox zero-day guest-to-host escape vulnerability and exploit pair on GithHub, while also expressing its disagreement with the current state of security research and bug bounty programs.