Party like it's 1989... SVGA code bug haunts VMware's house, lets guests flee to host OS

Malicious code in VMs can leap over ESXi, Workstation, Fusion hypervisor security

Get busy, VMware admins and users: the virtualisation virtuoso has patched a programming blunder in ESXi, Workstation Pro and Player, and Fusion and Fusion Pro products that can be exploited by malicious code to jump from guest OS to host machine.

The bug, disclosed here, is designated CVE-2018-6974. The out-of-bounds read is present in the products' SVGA video device emulation, and if exploited, allows software within a guest operating system to execute code on the host machine. In other words, a hypervisor guest escape. That's enough of a privilege escalation to get the bug rated “critical” across most of the affected products.

Trend Micro, which reported the bug through its Zero Day Initiative, provided more information, here.

ZDI's advisory explained: “The specific flaw exists within the handling of virtualised SVGA. The issue results from the lack of proper validation of user-supplied data, which can result in an overflow of a heap-based buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the host OS.”

The vulnerable versions are in the table below.

Product Version Severity Running on Patched version
ESXi 6.7 Critical ESXi ESXi670-201810101-SG
ESXi 6.5 Critical ESXi ESXi650-201808401-BG
ESXi 6.0 Critical ESXi ESXi600-201808401-BG
Workstation 14.x Critical Any 14.1.3
Fusion 10.x Critical macOS 10.1.3

VMWare's advisory points to the relevant patches.

El Reg notes that display code is something of a bugbear for VMware. Just last week, a rendering bug had admins scrambling for patches. For those unaware, SVGA – aka Super Video Graphics Array – is a computer display standard dating back to 1987, its programming interface defined by VESA in 1989. ®




Biting the hand that feeds IT © 1998–2018