VMware told customers this week that in its ESXi, Workstation, Fusion and NSX-T devices, it has fixed many bugs, including a crucial bug that allows arbitrary code execution.
Known as CVE-2020-3992, the critical vulnerability has been identified as a use-after-free problem that affects the ESXi OpenSLP application.
On July 22, the vulnerability was disclosed to VMware by Lucas Leong of the Zero Day Initiative (ZDI) of Trend Micro. ZDI claimed in its own recommendations that the vulnerability can be abused to execute arbitrary code by a remote, unauthenticated attacker.
In the handling of SLP messages, a particular flaw occurs. The problem emerges from the lack of confirmation of an object ‘s life before performing operations on the object. In the background of the SLP daemon, an attacker will exploit this vulnerability to execute code, ”ZDI said.
VMware, however, points out that in order to bypass the flaw, the attacker has to be on the control network and have access to port 427 on an ESXi machine.
In ESXi and VMware Cloud Base, the hybrid cloud architecture developed by VMware to handle virtual machines and orchestrate containers, the vulnerability hole was patched.
A high-severity vulnerability, CVE-2020-3993, was patched in NSX-T by VMware, which relates to how a KVM host can download and instal packages from the NSX manager. To compromise transport nodes, a MitM attacker will be able to manipulate it.
Researcher Reno Robert told VMware through ZDI that out-of-bounds read and out-of-bounds write bugs affect ESXi, Fusion and Workstation, which can allow an intruder who has admin access to a VM to extract information, escalate privileges and execute arbitrary code.
Within the implementation of the BDOOR CMD PATCH ACPI TABLES instruction, there is a particular fault. ZDI wrote in its advisories for both problems that the problem stems from the lack of proper locking when conducting operations on an entity.
A memory leak problem that occurs in the VMCI host drivers often affects the same VMware products and can cause an attacker with access to a VM to activate a DoS state.
VMware was told by Thorsten Tüllmann of the Karlsruhe Institute of Technology about a vCenter Server high-severity vulnerability that can be abused to hijack sessions. CVE-2020-3994 is tracked as the flaw.
“If the vCenter System Appliance Management Interface is used to retrieve vCenter updates, a malicious attacker with network placement between the vCenter Server and an upgrade repository can be able to execute a session hijack,” VMware explained.