Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

VMware Patches Vulnerabilities Exploited at Chinese Hacking Contest

VMware on Thursday announced releasing patches for a couple of serious ESXi vulnerabilities that were demonstrated at a recent hacking contest in China.

VMware on Thursday announced releasing patches for a couple of serious ESXi vulnerabilities that were demonstrated at a recent hacking contest in China.

At the 2020 Tianfu Cup International PWN Contest, which took place earlier this month in China, participants earned a total of more than $1.2 million for exploits targeting Chrome, Safari, Firefox, Adobe Reader, Docker, VMware ESXi, CentOS, the iPhone, the Samsung Galaxy S20 phone, Windows, and routers from TP-Link and Asus.

The 360 ESG Vulnerability Research Institute from Chinese cybersecurity company Qihoo 360 earned more than $740,000 of the total, including $180,000 for a VMware ESXi guest to host escape exploit.

VMware was monitoring the event and it immediately started working on patches. The virtualization giant announced the first patches on Thursday, less than two weeks after Tianfu Cup ended.

An advisory published by VMware describes two vulnerabilities that were chained at the hacking competition — it’s unclear if there are other flaws involved as well.

One of the security holes, CVE-2020-4005, is a privilege escalation issue caused by the way certain system calls are managed. This high-severity flaw allows an attacker who has privileges within the VMX process only to elevate permissions on the targeted system.

This vulnerability can be chained with CVE-2020-4004, an issue rated critical that the Qihoo 360 researchers exploited to execute code as the virtual machine’s VMX process running on the host. The flaw is a use-after-free affecting the XHCI USB controller and exploitation requires local admin privileges on the VM.

CVE-2020-4004 affects ESXi, Fusion, Workstation and VMware Cloud Foundation. Patches and updates have been released, except for Cloud Foundation, for which fixes are pending.

In the case of CVE-2020-4005, it impacts ESXi and Cloud Foundation. Fixes are available for ESXi and they are pending for Cloud Foundation.

Google and Mozilla have also patched the Chrome and Firefox vulnerabilities disclosed at the competition.

At last year’s Tianfu Cup, researchers from Qihoo 360 earned $200,000 for a VMware ESXi exploit. The vulnerabilities leveraged for that exploit were also patched by the virtualization giant after roughly two weeks.

VMware this week also patched a series of vulnerabilities in its SD-WAN Orchestrator product that could have allowed an unauthenticated attacker to remotely execute arbitrary code, which researchers say could lead to the shutdown of an enterprise network or traffic steering.

Related: Patch for Critical VMware ESXi Vulnerability Incomplete

Related: VMware Patches Critical Code Execution Vulnerability in ESXi

Related: Google Researcher Finds Vulnerability in VMware Virtualization Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.