Patch now: VMware Tools for Windows root holes fixed in update
ESXi, Fusion, Player and Workstation have in-guest privilege escalation bug
VMware sysadmins, get patching: the virtualisation outfit has released updates to its ESXi, Fusion, Player and Workstation software to block out a privilege-escalation vulnerability.
The patch applies to VMware Windows Workstation versions before 11.1.2, Player and Fusion versions prior to 7.1.2, and various ESXi versions depending on their patch level:
- VMware ESXi 6.0 without patch ESXi600-201512102-SG
- VMware ESXi 5.5 without patch ESXi550-201512102-SG
- VMware ESXi 5.1 without patch ESXi510-201510102-SG
- VMware ESXi 5.0 without patch ESXi500-201510102-SG
CVE-2015-6933 is a kernel memory corruption vulnerability in the tools' Shared Folders feature that can be exploited by software to escalate its privileges within a guest. VMware notes that the programming blunder cannot be exploited to escape from a guest to a host.
It was picked up by Secunia's Dmitry Janushkevich, and the CVE (common vulnerabilities and exposures) database entry was reserved in September 2015.
If you can't run the patches right away, disabling the Shared Folders feature (HGFS) removes the exploitation possibility.
The full announcement with individual product update links is here. ®