It's ESXi time for critical VMware patches
Three to do, pronto, unless you like guest-host escape mirth
VMware's reported three bugs that probably deserve your urgent attention.
The three are lumped under bulletin VMSA-2017-0006, but there's four CVE's to consider.
The first bug is a heap buffer overflow and uninitialized stack memory usage in SVGA that impacts VMware's ESXi, Workstation and Fusion products. “These issues may allow a guest to execute code on the host”, VMware warns. CVE-2017-4902 describes the heap issue and CVE-2017-4903 addresses the stack issue.
Patches are available for ESXi and there are new versions of the Workstation and Fusion desktop hypervisors that sort things out.
Bug two hits the three products' XHCI controller, which suffers from uninitialized memory usage. “This issue may allow a guest to execute code on the host,” VMware warns. “The issue is reduced to a Denial of Service of the guest on ESXi 5.5.” This one's CVE-2017-4904 and again has patches.
The problems discussed above are rated critical. The third, CVE-2017-4905, scores just “moderate” status as it can lead to an information leak rather than wholesale host p0wnage. Uninitialized memory usage is again the culprit, with patches available for ESXi 5.5 through 6.5. Fusion and Worksation users just need to update their wares.
Interestingly, VMware tips its hat to security research teams at Chinese companies Tencent and Qihoo for finding some of the bugs, perhaps a sign Virtzilla's attracting lots of attention behind the Great Firewall. Tipping Point's Zero Day Initiative also gets a nod of thanks. ®