Security Experts:

VMware Patches Critical SVGA Code Execution Flaw

Patches released this week by VMware address several vulnerabilities, including one rated critical, in the company’s ESXi, vCenter Server, Workstation and Fusion products.

The flaw considered critical, tracked as CVE-2017-4924, is an out-of-bounds write issue in the SVGA device, an old virtual graphics card implemented by VMware virtualization products. The vulnerability can allow a guest to execute code on the host, VMware said.

Nico Golde and Ralf-Philipp Weinmann of Comsecuris UG reported the security hole to VMware via the Zero Day Initiative (ZDI) on June 22. In its own advisory, ZDI pointed out that an attacker must somehow gain the ability to execute low-privileged code on the guest in order to exploit the flaw.

“The specific flaw exists within the Shader implementation,” ZDI said. “The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the host OS.”

While VMware has classified the vulnerability as critical, ZDI has only assigned it a CVSS score of 6.2, which puts it in the medium severity category. ESXi 6.5, Workstation 12.x and Fusion 8.x on OS X are affected.

The second vulnerability patched this week, classified as medium severity and tracked as CVE-2017-4925, was discovered by Zhang Haitao. He noticed that ESXi, Workstation and Fusion have a NULL pointer dereference vulnerability caused due to the handling of guest RPC requests. An attacker with normal user privileges can exploit this flaw to crash the VM.

This weakness affects ESXi 5.5, 6.0 and 6.5, Workstation 12.x and Fusion 8.x on OS X.

The third vulnerability, also rated medium severity, was found by Thomas Ornetzeder and it’s tracked as CVE-2017-4926. Ornetzeder discovered that the vCenter Server H5 Client on version 6.5 contains a stored cross-site scripting (XSS) flaw. An attacker that has VC user privileges can inject malicious JavaScript code that will be executed when other users access that page.

Related: VMware Patches 'Hard-to-Exploit' DoS Vulnerability

Related: VMware API Allows Limited vSphere Users to Access Guest OS

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.