Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion

Published: 2018-11-09 20:38:39 | Updated: 2018-11-09 20:39:18
Severity High
Patch available YES
Number of vulnerabilities 2
CVE ID CVE-2018-6981
CVE-2018-6982
CVSSv3 5.7 [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
3.8 [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-121
Exploitation vector Local network
Public exploit Not available
Vulnerable software VMware ESXi
VMware Workstation
VMware Fusion
Vulnerable software versions VMware ESXi 6.7
VMware ESXi 6.5
VMware ESXi 6.0
VMware Workstation 15.0.0
VMware Workstation 14.1.3
VMware Workstation 14.1.2
Show more
VMware Fusion 11.0.0
VMware Fusion 10.1.3
VMware Fusion 10.1.2
Show more
Vendor URL VMware, Inc

Security Advisory

1) Stack-based buffer overflow

Description

The vulnerability allows an adjacent attacker to execute arbitrary code on the target system.

The weakness exists due to uninitialized stack memory usage in the vmxnet3 virtual network adapter. A remote attacker can trigger memory corruption if vmxnet3 is enabled and execute arbitrary code with elevated privileges.

Remediation

Install update from vendor's website.

External links

https://www.vmware.com/security/advisories/VMSA-2018-0027.html

2) Stack-based buffer overflow

Description

The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.

The weakness exists due to uninitialized stack memory usage in the vmxnet3 virtual network adapter. A remote attacker can trigger memory corruption if vmxnet3 is enabled and access arbitrary data.

Remediation

Install update from vendor's website.

External links

https://www.vmware.com/security/advisories/VMSA-2018-0027.html

Back to List