VMware has just released Workstation 12.5.5 which includes bug fixes as well as fixes for several vulnerabilities found in this years Pwn2Own contest, which two hacking teams, 360 Security (@mj011sec) and Team Sniper was able to successfully complete a virtual machine escape.
While these are serious exploits, VMware has said they are not aware of any active exploitation of the vulnerabilities that has now been fixed in 12.5.5.
Issues Resolved in VMware Workstation 12.5.5
- VMware Workstation Pro has a heap buffer overflow and uninitialized stack memory usage in SVGA. These issues might allow a guest virtual machine to execute code on the host.
- Heap overflow leading to arbitrary code execution. Critical issue. CVE-2017-4902
- Uninitialized stack value leading to arbitrary code execution. Critical issue. CVE-2017-4903
- Uninitialized stack value leading to arbitrary code execution. Critical issue. CVE-2017-4904
- Uninitialized memory read leading to information disclosure. Moderate issue. CVE-2017-4905
- Installing VMware Tools on a 64-bit Windows virtual machine might result in an error. After you install VMware Tools on a 64-bit Windows virtual machine, when the virtual machine boots up, the system might display the following error: VMware Tools unrecoverable error: (vthread-4) Exception 0xc0000005 (access violation) has occurred. VMware Workstation 12.5.5 fixes this issue.
The good news is not only did VMware fix these exploits quickly but also shows these types of exploits are not something most script kiddies are typically going to find but instead require someone or teams of someones who are highly skilled and motivated – in the case of Pwn2Own the two teams mentioned above won a combined amount of over $200,000.00 USD to expose these exploits!
View the full Workstation 12.5.5 release notes here.