VMware Patches Security Vulnerabilities First Disclosed at Pwn2Own

VMware released an update fixing four different security vulnerabilities that could have potentially enabled an attacker to escape the isolation of a virtual machine and attack a host operating system.

Pwn2own 2017

VMware customers now have patches for four different security vulnerabilities that were first demonstrated at the Pwn2Own hacking competition on March 17. Two separate groups of security research teams were able to successfully exploit VMware products at the Pwn2own event that awards security researchers for demonstrating zero-day vulnerabilities in software.

Team 360 Security researchers from Qihoo 360 Software, were able to successfully exploit VMware Workstation at the Pwn2Own event with a chain of several exploits. For their efforts, Trend Micro's Zero Day Initiative (ZDI), which runs the Pwn2Own event, awarded the researchers $105,000. At the event, ZDI reported that 360 Security was able to chain together a memory heap overflow vulnerability in Microsoft's Edge web browser, accompanied by a type confusion vulnerability in the Microsoft Windows kernel.  The final link in the exploit chain was initially reported as a zero-day uninitialized buffer vulnerability in VMware Workstation. The entire exploit enabled the researchers to successfully execute a virtual machine escape.

VMware's security advisory on the issue identifies the flaw as an SVGA memory corruption vulnerability combined with a heap buffer overflow. The two vulnerabilities are officially designated as CVE-2017-4902 (heap issue) and CVE-2017-4903 (stack issue).

"ESXi, Workstation and Fusion have a heap buffer overflow and uninitialized stack memory usage in SVGA," VMware's advisory states. "These issues may allow a guest to execute code on the host."

The second group that successfully exploited VMware at Pwn2Own was Tencent Security Team Sniper, which also made use of an exploit chain. ZDI awarded Team Sniper $100,000 for demonstrating a VMware Workstation attack that enabled the Team Sniper researchers to escape from the guest virtual machine to attack the host system.

"The ESXi, Workstation, and Fusion XHCI controller has uninitialized memory usage," VMware's advisory warns.  "This issue may allow a guest to execute code on the host."

The second issue (CVE-2017-4905) reported by Team Sniper and now fixed by VMware, is also identified as an uninitialized memory usage vulnerability. Though as opposed to the first issue, the CVE-2017-4905 flaw can lead to information disclosure.

VMware is not the only vendor that has already publicly patched flaws that were first demonstrated at the Pwn2Own 2017 event. Linux kernel developers have also patched for an exploit identified as CVE-2017-7184 that was first publicly demonstrated on the first day of the Pwn2own event.

Mozilla was actually the first software vendor to publicly patch for flaws revealed at the 2017 Pwn2Own event. The Mozilla Firefox web browser was exploited on March 16, during the second day of the event. Researchers from Chaitin Security Research Lab earned $30,000 for demonstrating an integer overflow exploit identified as CVE-2017-5248. Mozilla patched the flaw within a day of the researchers demonstrating the flaw, releasing a patched version of Firefox on March 17.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.