Security News > 2020 > June > VMware Patches Several Vulnerabilities Allowing Code Execution on Hypervisor
VMware informed customers on Tuesday that it addressed a total of 10 vulnerabilities affecting its ESXi, Workstation and Fusion products, including critical and high-severity flaws that can be exploited for code execution on the hypervisor.
An attacker who has local access to a virtual machine with 3D graphics enabled can exploit the weakness for arbitrary code execution on the hypervisor from the VM. VMware has pointed out that 3D graphics are enabled by default on Workstation and Fusion, but not on ESXi.
Similar to the aforementioned security holes, this one also allows an attacker with local access to a VM to execute arbitrary code on the hypervisor.
A high-severity vulnerability identified in the USB 3.0 controller allows an attacker with admin privileges on the VM to cause a denial-of-service condition or execute arbitrary code on the hypervisor.
Many of the vulnerabilities were reported to VMware by various researchers through Trend Micro's Zero Day Initiative, and several were identified by a researcher from Google.