Video nasty lets VMware guests run code on hosts

It's 2017 and SVGA device can p0wn enterprise software. Sigh

VMware's given vAdmins a busy Friday by disclosing three nasties to patch.

One's a video nasty dubbed CVE-2017-4924 and impacts VMware ESXi, and the desktop hypervisors Workstation & Fusion. This one's “an out-of-bounds write vulnerability in SVGA driver device*” , an old virtual graphics card toolkit. The bug “may allow a guest to execute code on the host.”

There's a critical patch for ESXi 6.5, and a call to upgrade Workstation 12.x to version 12.5.7. Fusion 8.x users should get to version 8.5.8 as a matter of urgency. ESXi 6.0 and 5.5 don't have the problem.

The three products also have a NULL pointer dereference vulnerability that “occurs when handling guest RPC requests” and “may allow attackers with normal user privileges to crash their VMs.” This one's graded “moderate” and effects ESXi 5.5 through 6.5, plus Workstation 12.x and Fusion 8.x. Check out CVE-2017-4925 for details, once they land.

vCenter Server users also have something to worry about, as version 6.5 has a moderate bug that “may allow for stored cross-site scripting” as “An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page.”

Version 6.5 U1 squashes the bug. ?

* That's VMware's mistake we've struck out - Security Advisory VMSA-2017-0015 received a .1 upgrade to correct the error.


Biting the hand that feeds IT ? 1998–2017

<acronym id="haujiCA"><optgroup id="haujiCA"></optgroup></acronym>
<tr id="haujiCA"><optgroup id="haujiCA"></optgroup></tr>
<rt id="haujiCA"></rt>
<rt id="haujiCA"></rt>
<tr id="haujiCA"><optgroup id="haujiCA"></optgroup></tr>
<rt id="haujiCA"></rt>
<tr id="haujiCA"><optgroup id="haujiCA"></optgroup></tr>
<tr id="haujiCA"></tr>
<acronym id="haujiCA"><optgroup id="haujiCA"></optgroup></acronym><acronym id="haujiCA"><optgroup id="haujiCA"></optgroup></acronym>
  • 7844621339 2018-02-21
  • 9607131338 2018-02-21
  • 3095441337 2018-02-21
  • 9602111336 2018-02-21
  • 5723751335 2018-02-21
  • 1275371334 2018-02-21
  • 8517591333 2018-02-21
  • 230661332 2018-02-21
  • 3311101331 2018-02-21
  • 6181321330 2018-02-20
  • 6139401329 2018-02-20
  • 8915101328 2018-02-20
  • 6288241327 2018-02-20
  • 2044301326 2018-02-20
  • 1229571325 2018-02-20
  • 2162361324 2018-02-20
  • 7079711323 2018-02-20
  • 5699551322 2018-02-20
  • 9911371321 2018-02-20
  • 3873471320 2018-02-20