VMware released updates and patches for its ESXi, Fusion and Workstation products to address some critical and moderate severity vulnerabilities which are disclosed at the Pwn2Own competition 2017.
The Pwn2Own participants made more than $200,000 this year for various exploits involving VMware virtual machine escapes. The researchers at Qihoo 360 made $105,000 for a Microsoft Edge exploit which achieved a VM escape, and the Tencent Security’s Team Sniper received $100,000 for a Workstation exploit which leveraged two vulnerabilities.
According to the VMware, Qihoo 360 team leveraged a heap buffer overflow (CVE-2017-4902) and also an uninitialized stack memory usage in SVGA (CVE-2017-4903) which allows an attacker in the guest operating system to execute code some on the host.
One of these security holes exploited by the Team Sniper is an uninitialized memory usage issue (CVE-2017-4904) in XHCI controller that can be exploited to execute the code on host from the guest OS.
The second flaw is disclosed by the Team Sniper at the Pwn2Own, it is rated “moderate severity,” and is an information leak weakness which is also caused by uninitialized memory usage.
These flaws affect ESXi 6.0 and 6.5, the Fusion 8.x on OS X and the Workstation 12.x on all operating systems. CVE-2017-4905 and CVE-2017-4904 also affect the ESXi 5.5, but former can only be exploited for the denial-of-service (DoS) attacks and not a code execution.
The Mozilla also patched a Firefox vulnerability disclosed at this year’s Pwn2Own. But, they managed to pull it off in just a day after the bug is presented in the hacking competition.
This was not the first time VMware patched flaws disclosed at such an event. Last year, it resolved a Workstation and Fusion vulnerability demonstrated at PwnFest, a hacking competition that took place in South Korea at the Power Of Community (POC) conference.
VMware has also released patches for the recently disclosed Apache Struts2 vulnerability, which the company has classified as “catastrophic.”