#VU14413 Out-of-bounds write in VMware Workstation and VMware Fusion
Vulnerability identifier: #VU14413
Vulnerability risk: Medium
CVSSv3.1: 8.3 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-787
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
VMware Workstation
Client/Desktop applications /
Virtualization software
VMware Fusion
Client/Desktop applications /
Virtualization software
Vendor: VMware, Inc
Description
The vulnerability allows an adjacent attacker to execute arbitrary code on the target system.
The vulnerability exists due to out-of-bounds write in the e1000 device. An adjacent attacker can trigger memory corruption and execute arbitrary code withe elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Mitigation
Update Workstation to version 14.1.3.
Update Fusion to version 10.1.3.
Vulnerable software versions
VMware Workstation: 14.0 - 14.1.2
VMware Fusion: 10.0 - 10.1.2
External links
http://www.vmware.com/security/advisories/VMSA-2018-0022.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
