Two VM Escape flaws found in VMWare VMXNet3 Adapters
There was a fascinting VM escape bug demonstrated at GeekPwn2018. A VM escape is where it's possible to escape the confines of the VM and execute actions on the host. There is a video that can be seen on twitter that can be shown this in action here.
Summary
VMware ESXi, Fusion and Workstation contain uninitialized stack memory usage in the vmxnet3 virtual network adapter. This issue may allow a guest to execute code on the host. The issue is present if vmxnet3 is enabled. Non vmxnet3 virtual adapters are not affected by this issue.
Background
The VMXNET3 adapter is the one recommend to use by VMware because it offers the best throughput of the all the adapter options. As such, it's likely in use on most virtual machines.
Mitigation
This vulnerability can only be used by someone who has access to the virtual machine, this becomes a bigger risk if your VM's are exposed to the internet.
Patches
A patch has been released for this vulnerability but it's only for ESXi 6.0 and above. If you run anything older then there is no patch for this bug.
Links
VMware article on this issue https://www.vmware.com/security/advisories/VMSA-2018-0027.html
For some reason, CVE haven't posted the articles so I'll link to the awesome updates from tenable.
Subscribe to Ramblings of a Sysadmin
Get the latest posts delivered right to your inbox