Security Experts:

Connect with us

Hi, what are you looking for?



Privilege Escalation, DoS Vulnerabilities Fixed in VMware Products

VMware has released security updates that address several vulnerabilities in vCenter Server, ESXi, Workstation, Player, and Fusion.

VMware has released security updates that address several vulnerabilities in vCenter Server, ESXi, Workstation, Player, and Fusion.

VMware ESXi, Workstation, Player and Fusion are plagued by an arbitrary file write flaw that can be exploited for privilege escalation on the host, VMware said in an advisory published on Tuesday. The security hole (CVE-2014-8370) was reported by Shanon Olsson through Japan’s national Computer Security Incident Response Team (CSIRT).

VMware fixes vulnerabilities

“The vulnerability does not allow for privilege escalation from the guest Operating System to the host or vice-versa. This means that host memory can not be manipulated from the Guest Operating System,” VMware noted.

The second issue fixed by the company is a denial-of-service (DoS) vulnerability affecting Workstation, Player, and Fusion. The flaw (CVE-2015-1043), reported by Peter Kamensky from Digital Security, is caused by an input validation issue in the Host Guest File System (HGFS).

A different input validation vulnerability (CVE-2015-1044) that could lead to a DoS on the host affects ESXi, Workstation, and Player. ESXi and Workstation running on Linux are only partially impacted. The bug was reported by Dmitry Yudin through HP’s Zero Day Initiative (ZDI).

VMware has also updated the OpenSSL library in vCenter Server and ESXi

to versions 1.0.1j and 0.9.8zc. The update addresses several vulnerabilities fixed by OpenSSL in mid-October 2014, including the SSL 3.0 flaw known as POODLE.

Finally, the company has updated the libxml2 library in ESXi to version 2.7.6-17 in order to address a DoS flaw (CVE-2014-3660) disclosed last year in October.

“A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior,” reads a description of the vulnerability from RedHat.

The vulnerabilities fixed by VMware affect Workstation 10.x prior to version 10.0.5, Player 6.x prior to version 6.0.5, Fusion 7.x prior to version 7.0.1 and Fusion 6.x prior to version 6.0.5, and vCenter Server 5.5 prior to Update 2d. For ESXi 5.0, 5.1 and 5.5, the company released patches.

On Tuesday, VMware also updated an advisory released in early December. The advisory covers several vulnerabilities affecting the vSphere virtualization platform.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.