VMware informed customers on Thursday that it has patched a denial-of-service (DoS) vulnerability in its Workstation and Fusion products. Details of the flaw and proof-of-concept code have been made public.
In its advisory, VMware said the vulnerability affects Workstation 12.x and 14.x on all platforms, and Fusion 8.x and 10.x on OS X. Patches are included in Workstation 14.1.1 and Fusion 10.1.1. A workaround that involves setting a password for the VNC connection can be applied to Workstation 12.x and Fusion 8.x releases.
The flaw, tracked as CVE-2018-6957, was discovered by Lilith Wyatt of Cisco Talos. VMware says it can be exploited to cause a DoS condition by opening a large number of VNC sessions. VNC, which is used in VMware products for remote management and automation purposes, must be manually enabled for the exploit to work.
While VMware has classified the vulnerability as “important,” Cisco Talos has assigned it a CVSS score of 7.5, which puts it in the “high severity” category.
In its own advisory, Cisco said an attacker can trigger an exception on a targeted server and cause the virtual machine to shut down by initiating numerous VNC sessions.
“Since the VMware VNC server is naturally multi-threaded, there are locks and semaphores and mutexes to deal with shared variables. The VNC server also maintains a global variable that indicates the amount of locks that are currently used, that is incremented by certain events,” Talos explained.
The code uses a variable to count the locks and ensure that their number is not too high. Wyatt discovered that each TCP connection to the VNC increments this variable twice, and initiating a large number of connections will eventually lead to a DoS condition and a shutdown of the VM. Cisco’s advisory includes a one-line PoC exploit.
VMware sponsored the recent Pwn2Own 2018 hacking competition and offered up to $70,000 for VMware Workstation exploits. However, none of the contestants targeted the company’s products. At last year’s event, white hat hackers did disclose exploits that included VMware virtual machine escapes.