Rewterz Threat Advisory – CVE-2018-6973 and CVE-2018-3646 VMWare Workstation Player Multiple Vulnerabilities

Multiple vulnerabilities are found in VMware Workstation Player which may result in disclosure of sensitive information and bypassing of certain security restrictions.

IMPACT:  CRITICAL

PUBLISH DATE:  15-08-2018

OVERVIEW

Some vulnerabilities in VMware Workstation player and Fusion may lead to unauthorized disclosure of potentially sensitive information stored in the L1 data cache to an attacker, using a local user access. Moreover, the vulnerabilities may cause a bypassing of some of the security restrictions and lead to code execution on the host by a guest.

BACKGROUND INFORMATION

The CVE-2018-6973 is attributed to an out-of-bounds write vulnerability in the e1000 device, in VMware Workstation (14.x before 14.1.3) and Fusion (10.x before 10.1.3). This vulnerability may authorize a guest to execute code on the host.

CVE-2018-3646 is for systems with microprocessors utilizing speculative execution. This vulnerability may cause unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access, authorizing him with guest OS privilege via a terminal page fault and a side-channel analysis.

ANALYSIS

An error within the e1000 network adapter can be exploited by an attacker to cause an out-of-bounds write memory access and subsequently execute arbitrary code with host privileges. The CVE-2018-6973 vulnerability is reported in VMware Workstation and Fusion.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

The CVE-2018-3646 vulnerability may allow a malicious VM running on a given CPU core to effectively read the hypervisor’s or another VM’s privileged information that resides sequentially or concurrently in the same core’s L1 Data cache.

CVE-2018-3646 has two currently known attack vectors; “Sequential-Context” and “Concurrent-Context.

Sequential-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core.

Concurrent-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the Hyper-Threading enabled processor core.

MITIGATION

The Sequential-context attack vector is mitigated by a vSphere update to the affected product versions. This mitigation is dependent on Intel microcode updates (provided in separate ESXi patches for most Intel hardware platforms), and is enabled by default and does not impose a significant performance impact.

The Concurrent-context attack vector is mitigated through enablement of a new feature known as the “ESXi Side-Channel-Aware Scheduler”. This feature may impose a significant performance impact and is therefore not enabled by default.

The following updates include Hypervisor-Specific Mitigations for L1 Terminal Fault – VMM.

UPDATES

For CVE-2018-3646, following products need to be updated to patched versions as listed in the table.

The update details for products affected by CVE-2018-6973 are listed below:

It is best to update the running versions of the affected products as per the advisory. Furthermore, if you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.