Vulnerabilities > CVE-2018-6981 - Use of Uninitialized Resource vulnerability in VMWare Esxi, Fusion and Workstation
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
VMware ESXi 6.7 without ESXi670-201811401-BG and VMware ESXi 6.5 without ESXi650-201811301-BG, VMware ESXi 6.0 without ESXi600-201811401-BG, VMware Workstation 15, VMware Workstation 14.1.3 or below, VMware Fusion 11, VMware Fusion 10.1.3 or below contain uninitialized stack memory usage in the vmxnet3 virtual network adapter which may allow a guest to execute code on the host.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | Vmware
| 14 |
OS | 1 | |
OS | 165 |
Common Weakness Enumeration (CWE)
Nessus
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2018-0027.NASL description a. vmxnet3 uninitialized stack memory usage VMware ESXi, Fusion and Workstation contain uninitialized stack memory usage in the vmxnet3 virtual network adapter. This issue may allow a guest to execute code on the host. The issue is present if vmxnet3 is enabled. Non vmxnet3 virtual adapters are not affected by this issue. VMware would like to thank the organizers of GeekPwn2018 and security researcher Zhangyanyu of Chaitin Tech for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6981 to this issue. b. vmxnet3 uninitialized stack memory usage VMware ESXi, Fusion and Workstation contain uninitialized stack memory usage in the vmxnet3 virtual network adapter. This issue may lead to an information leak from host to guest. The issue is present if vmxnet3 is enabled. Non vmxnet3 virtual adapters are not affected by this issue. VMware would like to thank the organizers of GeekPwn2018 and security researcher Zhangyanyu of Chaitin Tech for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6982 to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 118955 published 2018-11-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118955 title VMSA-2018-0027 : VMware ESXi, Workstation, and Fusion updates address uninitialized stack memory usage code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory 2018-0027. # The text itself is copyright (C) VMware Inc. # include("compat.inc"); if (description) { script_id(118955); script_version("1.6"); script_cvs_date("Date: 2019/09/26 15:14:18"); script_cve_id("CVE-2018-6981", "CVE-2018-6982"); script_xref(name:"VMSA", value:"2018-0027"); script_name(english:"VMSA-2018-0027 : VMware ESXi, Workstation, and Fusion updates address uninitialized stack memory usage"); script_summary(english:"Checks esxupdate output for the patches"); script_set_attribute( attribute:"synopsis", value: "The remote VMware ESXi host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "a. vmxnet3 uninitialized stack memory usage VMware ESXi, Fusion and Workstation contain uninitialized stack memory usage in the vmxnet3 virtual network adapter. This issue may allow a guest to execute code on the host. The issue is present if vmxnet3 is enabled. Non vmxnet3 virtual adapters are not affected by this issue. VMware would like to thank the organizers of GeekPwn2018 and security researcher Zhangyanyu of Chaitin Tech for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6981 to this issue. b. vmxnet3 uninitialized stack memory usage VMware ESXi, Fusion and Workstation contain uninitialized stack memory usage in the vmxnet3 virtual network adapter. This issue may lead to an information leak from host to guest. The issue is present if vmxnet3 is enabled. Non vmxnet3 virtual adapters are not affected by this issue. VMware would like to thank the organizers of GeekPwn2018 and security researcher Zhangyanyu of Chaitin Tech for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6982 to this issue." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2018/000441.html" ); script_set_attribute(attribute:"solution", value:"Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-6981"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.7"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/04"); script_set_attribute(attribute:"patch_publication_date", value:"2018/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version"); script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs"); exit(0); } include("audit.inc"); include("vmware_esx_packages.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi"); if ( !get_kb_item("Host/VMware/esxcli_software_vibs") && !get_kb_item("Host/VMware/esxupdate") ) audit(AUDIT_PACKAGE_LIST_MISSING); init_esx_check(date:"2018-11-09"); flag = 0; if (esx_check(ver:"ESXi 6.0", vib:"VMware:esx-base:6.0.0-3.110.10719132")) flag++; if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsan:6.0.0-3.110.10644234")) flag++; if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsanhealth:6.0.0-3000000.3.0.3.110.10644236")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-base:6.5.0-2.67.10719125")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-tboot:6.5.0-2.67.10719125")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsan:6.5.0-2.67.10642690")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsanhealth:6.5.0-2.67.10642691")) flag++; if (esx_check(ver:"ESXi 6.7", vib:"VMware:esx-base:6.7.0-1.31.10764712")) flag++; if (esx_check(ver:"ESXi 6.7", vib:"VMware:esx-update:6.7.0-1.31.10764712")) flag++; if (esx_check(ver:"ESXi 6.7", vib:"VMware:vsan:6.7.0-1.31.10720746")) flag++; if (esx_check(ver:"ESXi 6.7", vib:"VMware:vsanhealth:6.7.0-1.31.10720754")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family General NASL id VMWARE_WORKSTATION_VMSA_2018_0027.NASL description The version of VMware Workstation installed on the remote host is 14.x prior to 14.1.4 or 15.x prior to 15.0.1. It is, therefore, affected by an uninitialized stack memory usage vulnerability in the vmxnet3 network adapter. An attacker with access to a guest system may be able to execute code on the host system by leveraging this vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 118883 published 2018-11-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118883 title VMware Workstation 14.x < 14.1.4 / 15.x < 15.0.1 vmxnet3 Guest-to-Host Code Execution Vulnerability (VMSA-2018-0027) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(118883); script_version("1.4"); script_cvs_date("Date: 2019/11/01"); script_cve_id("CVE-2018-6981"); script_bugtraq_id(105881); script_xref(name:"VMSA", value:"2018-0027"); script_name(english:"VMware Workstation 14.x < 14.1.4 / 15.x < 15.0.1 vmxnet3 Guest-to-Host Code Execution Vulnerability (VMSA-2018-0027)"); script_summary(english:"Checks the VMware Workstation version."); script_set_attribute(attribute:"synopsis", value: "A virtualization application installed on the remote Windows host is affected by an uninitialized stack memory usage vulnerability."); script_set_attribute(attribute:"description", value: "The version of VMware Workstation installed on the remote host is 14.x prior to 14.1.4 or 15.x prior to 15.0.1. It is, therefore, affected by an uninitialized stack memory usage vulnerability in the vmxnet3 network adapter. An attacker with access to a guest system may be able to execute code on the host system by leveraging this vulnerability."); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2018-0027.html"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware Workstation version 14.1.4, 15.0.1, or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-6981"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/09"); script_set_attribute(attribute:"patch_publication_date", value:"2018/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:workstation"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"General"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_workstation_detect.nasl", "vmware_workstation_linux_installed.nbin"); script_require_keys("installed_sw/VMware Workstation"); exit(0); } include("vcf.inc"); if (get_kb_item("SMB/Registry/Enumerated")) win_local = TRUE; app_info = vcf::get_app_info(app:"VMware Workstation", win_local:win_local); vcf::check_granularity(app_info:app_info, sig_segments:2); constraints = [ { "min_version" : "14", "fixed_version" : "14.1.4" }, { "min_version" : "15", "fixed_version" : "15.0.1" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
NASL family Misc. NASL id VMWARE_ESXI_VMSA-2018-0027.NASL description The remote VMware ESXi host is version 6.0, 6.5, or 6.7 and is missing a security patch. It is, therefore, vulnerable to multiple vulnerabilities. Leveraging the most severe of these vulnerabilities could allow an attacker to execute arbitrary code on the host from the security context of an unprivileged user on the guest system. Note: CVE-2018-6982 only applies to ESXi 6.5 and 6.7 installations. ESXi 6.0 installations are not affected. last seen 2020-06-01 modified 2020-06-02 plugin id 118885 published 2018-11-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118885 title ESXi 6.0 / 6.5 / 6.7 Multiple Vulnerabilities (VMSA-2018-0027) (Remote Check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(118885); script_version("1.5"); script_cvs_date("Date: 2019/11/01"); script_cve_id("CVE-2018-6981", "CVE-2018-6982"); script_bugtraq_id(105881, 105882); script_xref(name:"VMSA", value:"2018-0027"); script_name(english:"ESXi 6.0 / 6.5 / 6.7 Multiple Vulnerabilities (VMSA-2018-0027) (Remote Check)"); script_summary(english:"Checks the ESXi version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESXi host is missing a security patch and is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote VMware ESXi host is version 6.0, 6.5, or 6.7 and is missing a security patch. It is, therefore, vulnerable to multiple vulnerabilities. Leveraging the most severe of these vulnerabilities could allow an attacker to execute arbitrary code on the host from the security context of an unprivileged user on the guest system. Note: CVE-2018-6982 only applies to ESXi 6.5 and 6.7 installations. ESXi 6.0 installations are not affected."); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2018-0027.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch as referenced in the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-6981"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/09"); script_set_attribute(attribute:"patch_publication_date", value:"2018/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); fixes = make_array( '6.0', '10719132', '6.5', '10719125', '6.7', '10764712' ); rel = get_kb_item_or_exit("Host/VMware/release"); if ("ESXi" >!< rel) audit(AUDIT_OS_NOT, "ESXi"); ver = get_kb_item_or_exit("Host/VMware/version"); match = pregmatch(pattern:"^ESXi? ([0-9]+\.[0-9]+).*$", string:ver); if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, "VMware ESXi", "6.0 / 6.5 / 6.7"); ver = match[1]; if (ver != '6.0' && ver != '6.5' && ver != '6.7') audit(AUDIT_OS_NOT, "ESXi 6.0 / 6.5 / 6.7"); fixed_build = fixes[ver]; if (empty_or_null(fixed_build)) audit(AUDIT_VER_FORMAT, ver); match = pregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel); if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, "VMware ESXi", "6.0 / 6.5 / 6.7"); build = int(match[1]); if (build < fixed_build) { report = '\n ESXi version : ' + ver + '\n Installed build : ' + build + '\n Fixed build : ' + fixed_build + '\n'; security_report_v4(port:0, severity:SECURITY_HOLE, extra:report); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware ESXi", ver + " build " + build);
NASL family MacOS X Local Security Checks NASL id MACOSX_FUSION_VMSA_2018_0027.NASL description The version of VMware Fusion installed on the remote macOS or Mac OS X host is 10.x prior to 10.1.4 or 11.x prior to 11.0.1. It is, therefore, affected by an uninitialized stack memory usage vulnerability in the vmxnet3 network adapter. An attacker with access to a guest system may be able to execute code on the host system by leveraging this vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 118884 published 2018-11-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118884 title VMware Fusion 10.x < 10.1.4 / 11.x < 11.0.1 vmxnet3 Guest-to-Host Code Execution Vulnerability (VMSA-2018-0027) (macOS) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(118884); script_version("1.4"); script_cvs_date("Date: 2019/11/01"); script_cve_id("CVE-2018-6981"); script_bugtraq_id(105881); script_xref(name:"VMSA", value:"2018-0027"); script_name(english:"VMware Fusion 10.x < 10.1.4 / 11.x < 11.0.1 vmxnet3 Guest-to-Host Code Execution Vulnerability (VMSA-2018-0027) (macOS)"); script_summary(english:"Checks the VMware Fusion version."); script_set_attribute(attribute:"synopsis", value: "A virtualization application installed on the remote macOS or Mac OS X host is affected by an uninitialized stack memory usage vulnerability."); script_set_attribute(attribute:"description", value: "The version of VMware Fusion installed on the remote macOS or Mac OS X host is 10.x prior to 10.1.4 or 11.x prior to 11.0.1. It is, therefore, affected by an uninitialized stack memory usage vulnerability in the vmxnet3 network adapter. An attacker with access to a guest system may be able to execute code on the host system by leveraging this vulnerability."); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2018-0027.html"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware Fusion version 10.1.4, 11.0.1, or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-6981"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/09"); script_set_attribute(attribute:"patch_publication_date", value:"2018/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:fusion"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("macosx_fusion_detect.nasl"); script_require_keys("Host/local_checks_enabled", "installed_sw/VMware Fusion"); exit(0); } include("vcf.inc"); app_info = vcf::get_app_info(app:"VMware Fusion"); vcf::check_granularity(app_info:app_info, sig_segments:2); constraints = [ { "min_version" : "10", "fixed_version" : "10.1.4" }, { "min_version" : "11", "fixed_version" : "11.0.1" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
References
- http://www.securityfocus.com/bid/105881
- http://www.securityfocus.com/bid/105881
- http://www.securitytracker.com/id/1042054
- http://www.securitytracker.com/id/1042054
- http://www.securitytracker.com/id/1042055
- http://www.securitytracker.com/id/1042055
- https://www.vmware.com/security/advisories/VMSA-2018-0027.html
- https://www.vmware.com/security/advisories/VMSA-2018-0027.html