Your one-stop web resource providing safety and security information to manufacturers

VMware patched a denial-of-service (DoS) vulnerability in its Workstation and Fusion products.

In its advisory, VMware said the vulnerability affects Workstation 12.x and 14.x on all platforms, and Fusion 8.x and 10.x on OS X. Patches are included in Workstation 14.1.1 and Fusion 10.1.1.

Intel Details Spectre, Meltdown Fixes; Future CPU Plans
More Microsoft Meltdown, Spectre Patches
ICS Spectre, Meltdown Update Part IV
VMware has Meltdown, Spectre Fixes

Details of the flaw and proof-of-concept code have been made public.

A workaround that involves setting a password for the VNC connection can be applied to Workstation 12.x and Fusion 8.x releases.

Schneider Bold

The flaw, tracked as CVE-2018-6957, was discovered by Lilith Wyatt of Cisco Talos. VMware said it can be exploited to cause a DoS condition by opening a large number of VNC sessions.

VNC, which is used in VMware products for remote management and automation purposes, must be manually enabled for the exploit to work.

While VMware has classified the vulnerability as “important,” Cisco Talos has assigned it a CVSS score of 7.5, which puts it in the “high severity” category.

In its own advisory, Cisco said an attacker can trigger an exception on a targeted server and cause the virtual machine to shut down by initiating numerous VNC sessions.

The code uses a variable to count the locks and ensure their number is not too high.

Pin It on Pinterest

Share This