Vulnerabilities Patched in VMware ESXi, Workstation, Fusion

VMware informed customers last week that it patched several vulnerabilities that can lead to a denial-of-service (DoS) condition or information disclosure in its ESXi, Workstation, and Fusion products. VMware described the flaws as out-of-bounds read issues in the shader translator component. An attacker with regular user privileges can exploit the security holes to obtain information or crash virtual machines. The vulnerabilities, classified as “important,” are tracked as CVE-2018-6965, CVE-2018-6966 and CVE-2018-6967. A Tencent ZhanluLab researcher who uses the online moniker “RanchoIce” has been credited for reporting the flaws to VMware. A researcher from Cisco Talos independently discovered CVE-2018-6965. According to VMware, the flaws impact ESXi 6.7 and Workstation 14.x running on any platform, and Fusion 10.x running on OS X. Patches and updates have been released for each of the affected products. Cisco Talos has published an advisory containing technical details for CVE-2018-6965. The company has assigned a CVSS score of 6.5 to this vulnerability, which puts it near the “high severity” range.