VMware Patches Important Bug Affecting ESXi, Workstation and Fusion Products

News

VMWare has shipped updates to Workstation, Fusion, and ESXi products to address an “important” security vulnerability that could be weaponized by a threat actor to take control of affected systems.

The issue relates to a heap-overflow vulnerability — tracked as CVE-2021-22045 (CVSS score: 7.7) — that, if successfully exploited, results in the execution of arbitrary code. The company credited Jaanus Kääp, a security researcher with Clarified Security, for reporting the flaw.

Automatic GitHub Backups

“A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine,” VMware said in an advisory published on January 4.

VMware

The error affects ESXi versions 6.5, 6.7, and 7.0; Workstation versions 16.x; and Fusion versions 12.x, with the company yet to release a patch for ESXi 7.0. In the interim, the company is recommending users to disable all CD-ROM/DVD devices on all running virtual machines to prevent any potential exploitation —

  • Log in to a vCenter Server system using the vSphere Web Client.
  • Right-click the virtual machine and click Edit Settings.
  • Select the CD/DVD drive and uncheck “Connected” and “Connect at power on” and remove any attached ISOs.

With VMware’s virtualization solutions widely deployed across enterprises, it’s no surprise that its products have emerged as a popular choice for threat actors to stage a multitude of attacks against vulnerable networks. To mitigate the risk of infiltration, it’s recommended that organizations move quickly to apply the necessary updates.

Products You May Like

Articles You May Like

WordPress Skimmers Evade Detection by Injecting Themselves into Database Tables
FBI Deletes PlugX Malware from 4,250 Hacked Computers in Multi-Month Operation
DoJ Indicts Three Russians for Operating Crypto Mixers Used in Cybercrime Laundering
CISA Launches Playbook to Boost AI Cybersecurity Collaboration
Hands-On Walkthrough: Microsegmentation For all Users, Workloads and Devices by Elisity

Leave a Reply

Your email address will not be published. Required fields are marked *