Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3535 VMware ESXi, Workstation, and Fusion updates address uninitialized stack memory usage 12 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware ESXi VMware Workstation VMware Fusion Publisher: VMware Operating System: Virtualisation Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-6982 CVE-2018-6981 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2018-0027.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2018-0027 Severity: Critical Synopsis: VMware ESXi, Workstation, and Fusion updates address uninitialized stack memory usage Issue date: 2018-11-09 Updated on: 2018-11-09 (Initial Advisory) CVE number: CVE-2018-6981, CVE-2018-6982 1. Summary VMware ESXi, Workstation, and Fusion updates address uninitialized stack memory usage. 2. Relevant Products VMware vSphere ESXi (ESXi) VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) 3. Problem Description a. vmxnet3 uninitialized stack memory usage VMware ESXi, Fusion and Workstation contain uninitialized stack memory usage in the vmxnet3 virtual network adapter. This issue may allow a guest to execute code on the host. The issue is present if vmxnet3 is enabled. Non vmxnet3 virtual adapters are not affected by this issue. VMware would like to thank the organizers of GeekPwn2018 and security researcher Zhangyanyu of Chaitin Tech for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6981 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation/ Product Version on Severity Apply patch Workaround ========== ======= ====== ======== ============= =========== ESXi 6.7 ESXi Critical ESXi670-201811401-BG None ESXi 6.5 ESXi Critical ESXi650-201811301-BG None ESXi 6.0 ESXi Critical ESXi600-201811401-BG None Workstation 15.x Any Critical 15.0.1 None Workstation 14.x Any Critical 14.1.4 None Fusion 11.x OS X Critical 11.0.1 None Fusion 10.x OS X Critical 10.1.4 None b. vmxnet3 uninitialized stack memory usage VMware ESXi, Fusion and Workstation contain uninitialized stack memory usage in the vmxnet3 virtual network adapter. This issue may lead to an information leak from host to guest. The issue is present if vmxnet3 is enabled. Non vmxnet3 virtual adapters are not affected by this issue. VMware would like to thank the organizers of GeekPwn2018 and security researcher Zhangyanyu of Chaitin Tech for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6982 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation/ Product Version on Severity Apply patch Workaround ========== ======= ====== ======== ============= =========== ESXi 6.7 ESXi Important ESXi670-201811401-BG None ESXi 6.5 ESXi Important ESXi650-201811301-BG None ESXi 6.0 ESXi N/A not affected N/A Workstation Any Any N/A not affected N/A Fusion Any OS X N/A not affected N/A 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. ESXi 6.7 Downloads: https://my.vmware.com/group/vmware/patch Documentation: https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-201811001.html ESXi 6.5 Downloads: https://my.vmware.com/group/vmware/patch Documentation: https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-201811001.html ESXi 6.0 Downloads: https://my.vmware.com/group/vmware/patch Documentation: https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201811001.html VMware Workstation Pro 14.1.4, 15.0.1 Downloads and Documentation: https://www.vmware.com/go/downloadworkstation https://docs.vmware.com/en/VMware-Workstation-Pro/index.html VMware Workstation Player 14.1.4, 15.0.1 Downloads and Documentation: https://www.vmware.com/go/downloadplayer https://docs.vmware.com/en/VMware-Workstation-Player/index.html VMware Fusion Pro / Fusion 10.1.4, 11.0.1 Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://docs.vmware.com/en/VMware-Fusion/index.html 5. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6981 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6982 - - ------------------------------------------------------------------------ 6. Change log VMSA-2018-0027 2018-11-09 Initial security advisory in conjunction with the release of ESXi 6.0, 6.5, 6.7 patches and VMware Workstation 14.1.4, 15.0.1 and Fusion 10.1.4, 11.0.1 on 2018-11-09. - - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2018 VMware Inc. All rights reserved. - -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFb5WZbDEcm8Vbi9kMRAv0fAKDaDFeL/8AsPTjUXLCA0MYcyNjyTACgxUvW ai0L/eRY3Ngbrf0OA05K0Ts= =OHA7 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW+jKb2aOgq3Tt24GAQi/3g//cIgL6qcgA95tlsUKyWrGl3gJnZUNdcYe p2BFHSsTa/t3XlbHbLZif46CC1bpqQ1fYvCPTiuZ6ZsW5xmRaqIWrsDzwm3LjazM ObQYE9mEwhcbcoJ0cNYtx5ByW2ChBQgPtgW8MF4bZEdVwe70JLlXMDjHkcI/P10q omaDWojqf4FX76a3Vlkt4nytAuaKskyFrb8+1qj7C8/a916jSea1HP9CAGyJpAUG 3VRrDTtEbOGHW1J7OphRwVFNP+Mz8IDYfaEh6DeS/L3lr4tuU4oyHXd63ys6J+If gi1V426WBcwkFZYkBLcFDye80A0aU78oiDM8kp4AgMFvhoKuMb9LcNmA/iLjcVzC bWGT1U4fLlOkTyeMvHUsbgM6Jhc8L+kUthc1s5c/Fd5EBcevxMNNgH8Z54mxbrhk GIARJ2CuUE1yJlm62HiDep5T1D3SgsL1lwGQSzXuBHiisrcbnTlECQrk/rwEHCmY pKKPEFw7iNZ5UFOO37sZhM8DUVp8r+MX4W5EFE0YsRqGAq0b6mnmyy3A4Lvak0JJ 4Y3sTK3OpqF9ojWz2GHalkT4nW83ZaqYugtAs92ChT3VKG5q24JBMoCBeIFy+YYi ow946CQggGRwBcbEBnspSnmazGwxN3Vkrdo/WvT8YLR6SG4WHu8Sd8CFeY1EFGU0 K0H37+hOa+4= =04iY -----END PGP SIGNATURE-----