ADVISORY: Update VMware ESXi, Workstation, and Fusion for critical vulnerabilities

Wednesday, April 5, 2017

This message is intended for U-M IT staff who operate or manage virtualized environments that use VMware ESXi. It is also intended for anyone who uses VMware Workstation or Fusion on their computer. It was sent to U-M IT staff groups on April 5, 2017.

Summary: 

Updates to VMware ESXi, Workstation, and Fusion are available to address critical and moderate security issues. There is no known active exploitation as yet, so these updates should be applied after appropriate testing in accordance with normal patching cycles or maintenance periods.

Problem: 

Critical and moderate vulnerabilities were discovered in VMware ESXi, Workstation Pro and Player, and Fusion during the recent Pwn2Own hacking contest. These vulnerabilities could be exploited to escape from the isolation of virtual machines and execute code on the host system.

Affected Versions: 
Action Items: 

ITS staff are working now to schedule an update to the virtualization services ITS provides to the university. MiWorkspace staff have already distributed updates to MiWorkspace machines.

4/6/17 update: Health Information Technology & Services (HITS) staff expect to complete needed patching at Michigan Medicine by the end of the day.

Threats: 

Some of the vulnerabilities may allow an attacker to "escape" a virtual machine and execute code in the context of the host. Worst-case scenario could allow an attacker who has access to a "guest" virtual machine to take control of the virtualization infrastructure. There is no known active exploitation of these vulnerabilities in the wild as of yet.

Technical Details: 

Unpatched versions of ESXi, Workstation, and Fusion have the following vulnerabilities:

  • A heap buffer overflow and uninitialized stack memory usage in SVGA. These issues may allow a guest to execute code on the host.
  • Uninitialized memory usage. This issue may lead to an information leak.  

In addition, unpatched versions of the ESXi, Workstation, and Fusion XHCI controller have uninitialized memory usage. This issue may allow a guest to execute code on the host. The issue is reduced to a Denial of Service of the guest on ESXi 5.5.

Information for Users: 

MiWorkspace machines have been updated. If you have VMware  installed on your own computers that are not managed by the university, please update to the latest version.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Use a Secure Internet Connection on the U-M Safe Computing website.