VMware has released updates and patches for its ESXi, Workstation and Fusion products to address critical and moderate severity vulnerabilities disclosed at the Pwn2Own 2017 competition.
Pwn2Own participants earned more than $200,000 this year for exploits involving VMware virtual machine escapes. Researchers at Qihoo 360 earned $105,000 for an Edge exploit that achieved a VM escape, and Tencent Security’s Team Sniper received $100,000 for a Workstation exploit that leveraged two vulnerabilities.
According to VMware, the Qihoo 360 team leveraged a heap buffer overflow (CVE-2017-4902) and an uninitialized stack memory usage in SVGA (CVE-2017-4903) that allow an attacker in the guest operating system to execute code on the host.
One of the security holes exploited by Team Sniper is an uninitialized memory usage issue (CVE-2017-4904) in the XHCI controller that can be exploited to execute code on the host from the guest OS.
The second flaw disclosed by Team Sniper at Pwn2Own, rated “moderate severity,” is an information leak weakness also caused by uninitialized memory usage (CVE-2017-4905).
The flaws affect ESXi 6.0 and 6.5, Workstation 12.x on all operating systems, and Fusion 8.x on OS X. CVE-2017-4904 and CVE-2017-4905 also affect ESXi 5.5, but the former can only be exploited for denial-of-service (DoS) attacks and not code execution.
Mozilla has also patched a Firefox vulnerability disclosed at Pwn2Own. However, the organization addressed the security bug within a day after it was presented at the hacking competition.
This was not the first time VMware patched flaws disclosed at such an event. Last year, it resolved a Workstation and Fusion vulnerability demonstrated at PwnFest, a hacking competition that took place in South Korea at the Power Of Community (POC) conference.
VMware has also released patches for the recently disclosed Apache Struts2 vulnerability, which the company has classified as “catastrophic.”