{"uuid": "7e22ebbd-a6da-484e-a32b-1849eecfaa12", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2018-6957", "type": "published-proof-of-concept", "source": "https://t.me/information_security_channel/14522", "content": "VMware Patches DoS Vulnerability in Workstation, Fusion\nhttp://feedproxy.google.com/~r/Securityweek/~3/iOIWPibQVnw/vmware-patches-dos-vulnerability-workstation-fusion\n\nVMware informed customers on Thursday that it has patched a denial-of-service (DoS) vulnerability in its Workstation and Fusion products. Details of the flaw and proof-of-concept code have been made public.\nIn its advisory (https://www.vmware.com/security/advisories/VMSA-2018-0008.html), VMware said the vulnerability affects Workstation 12.x and 14.x on all platforms, and Fusion 8.x and 10.x on OS X. Patches are included in Workstation 14.1.1 and Fusion 10.1.1. A workaround (https://kb.vmware.com/s/article/52934) that involves setting a password for the VNC connection can be applied to Workstation 12.x and Fusion 8.x releases.\nThe flaw, tracked as CVE-2018-6957, was discovered by Lilith Wyatt of Cisco Talos. VMware says it can be exploited to cause a DoS condition by opening a large number of VNC sessions. VNC, which is used in VMware products for remote management and automation purposes, must be manually enabled for the exploit to work.\nWhile VMware has classified the vulnerability as \u201cimportant,\u201d Cisco Talos has assigned it a CVSS score of 7.5, which puts it in the \u201chigh severity\u201d category.\nIn its own advisory, Cisco said an attacker can trigger an exception on a targeted server and cause the virtual machine to shut down by initiating numerous VNC sessions.\n\u201cSince the VMware VNC server is naturally multi-threaded, there are locks and semaphores and mutexes to deal with shared variables. The VNC server also maintains a global variable that indicates the amount of locks that are currently used, that is incremented by certain events,\u201d Talos explained (https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0376).\nThe code uses a variable to count the locks and ensure that their number is not too high. Wyatt discovered that each TCP connection to the VNC increments this variable twice, and initiating a large number of connections will eventually lead to a DoS condition and a shutdown of the VM. Cisco\u2019s advisory includes a one-line PoC exploit.\nVMware sponsored the recent Pwn2Own 2018 (https://www.securityweek.com/hackers-awarded-267000-pwn2own-2018) hacking competition and offered up to $70,000 for VMware Workstation exploits. However, none of the contestants targeted the company\u2019s products. At last year\u2019s event, white hat hackers did disclose exploits (https://www.securityweek.com/hackers-earn-200000-vm-escapes-pwn2own-2017) that included VMware virtual machine escapes.\nRelated: VMware Addresses Meltdown, Spectre Flaws in Virtual Appliances (https://www.securityweek.com/vmware-addresses-meltdown-spectre-flaws-virtual-appliances)\nRelated: Serious Flaws Affect Dell EMC, VMware Data Protection Products (https://www.securityweek.com/serious-flaws-affect-dell-emc-vmware-data-protection-products)\nRelated: VMware Patches Vulnerabilities in vCenter Server (https://www.securityweek.com/vmware-patches-vulnerabilities-vcenter-server)\n\n                         \n            \n            \n  \n        \n                         \n            \n                \n            \n            \n            \n                Tweet (http://twitter.com/share)", "creation_timestamp": "2018-03-16T19:45:48.000000Z"}