VMware Patches Virtual Machine Escape Vulnerability

VMware quickly turned around a patch for a critical code execution flaw that was worth $150,000 to the researchers who found it.

While there have been no reported public exploits, the vulnerability is serious because it could allow an attacker to access a virtual instance and run code on the host machine.

The bug was exploited during last week’s PwnFest hacker contest in South Korea, which ran alongside the Power of Community conference. Hackers from China’s Qihoo 360 also took down Google’s new Pixel mobile device, as well as Microsoft Edge and Adobe Flash, winning more than a half-million dollars in the process.

The VMware vulnerability is an out-of-bounds memory access bug in the drag-and-drop function that lives in both VMware Workstation Pro and Player, and VMware Fusion and Fusion Pro.

“This may allow a guest to execute code on the operating system that runs Workstation or Fusion,” VMware said in its advisory.

VMware said the vulnerability (CVE-2016-7461) affects version 12.x of Workstation and 8.x of Fusion, and urges customers to upgrade to 12.5.2 and 8.5.2, respectively. There are temporary mitigations, VMware said.

“On Workstation Pro and Fusion, the issue cannot be exploited if both the drag-and-drop function and the copy-and-paste (C&P) function are disabled,” VMware said. “This workaround is not available on Workstation Player.”

Vulnerabilities and exploits that allow hackers to attack the host machine are the holy grail when it comes to attacks against virtual machines. Last year, Xen patched such a bug in the QEMU open source machine emulator running in the Xen hypervisor. Xen said at the time that a heap overflow in the QEMU IDE subsystem could allow an attacker to use the flaw to run code on the host with the same privileges as the QEMU process.