14 DAY TRIAL // VMware published an advisory with workarounds for a denial-of-service vulnerability in its vSphere ESXi, Workstation (Pro / Player), and VMware Fusion (Fusion Pro) products discovered by Cisco Talos's Piotr Bania and exploitable when the 3D-acceleration feature is enabled.
According to VMWare 3D-acceleration is not enabled by default on VMware vSphere ESXi, but it comes toggled on all versions of VMware Workstation and VMware Fusion.
According to VMware advisory, the vulnerability will trigger a denial-of-service because of an infinite loop caused by a maliciously crafted 3D-rendering shader.
Furthermore, according to Cisco Talos, the malformed pixel shader can be provided by a potential attacker in either binary or text form to the target within a VMware guest operating system.
The memory denial-of-service attack can be triggered from VMware guests affecting the VMware host (with an immediate crash of the vmware-vmx.exe process), as well as through WEBGL via a web browser if it doesn't use Google's ANGLE (Almost Native Graphics Layer Engine) graphics engine abstraction layer.
As described by VMware in the VMSA-2018-0025 advisory, "Successfully exploiting this issue may allow an attacker with normal user privileges in the guest to make the VM unresponsive, and in some cases, possibly resulting in other VMs on the host or the host itself becoming unresponsive.
VMware provided a workaround designed to mitigate the DoS vulnerability in all affected software products
At the moment there is no patch for any of the products affected by this DoS vulnerability. However, VMware provides a workaround which mitigates the issue.
Moreover, the workaround for this DoS issue requires disabling the 3D-acceleration feature in the VMware Workstation and Fusion products, while VMware ESXi does not need any intervention seeing that for this software the 3D-acceleration feature is disabled by default.
VMware Workstation users can disable 3D-acceleration by shutting down the virtual machine, selecting the VM, going to VM > Settings > Hardware > Display and unchecking the "Accelerate 3D graphics" option.
Fusion users need to turn off their VM, select that virtual machine, going to the VMware Fusion menu bar, selecting Window > Virtual Machine Library, selecting the VM and clicking Settings, and then going into System Settings > Display and disabling the "Accelerate 3D graphics" option.