Multiple vulnerabilities have recently come to light VMware’s ESXi Hypervisor and the SD-WAN Orchestrator. The company has patched these vulnerabilities & released updates for the same. Two critical vulnerabilities were reported in the ESXi Hypervisor of VMware. Besides this, six other vulnerabilities were fixed by the company in their SD-WAN Orchestrator.
Two vulnerabilities in VMware ESXi exploited in a hacking competition!
You read it right, two vulnerabilities in VMware’s ESXi hypervisor were exploited by researchers during a hacking competition. Both these vulnerabilities were previously unknown. Two researchers Tianwen Tang & Xiao Wei discovered and exploited these vulnerabilities during the Tianfu Cup Pwn Contest which was held in Chengdu, China. The two researchers from the Qihoo Vulcan Team discovered and exploited these two vulnerabilities which compromised the ESXi hypervisor.
The two vulnerabilities were named as CVE-2020-4004 & CVE-2020-4005 and were labelled as critical & important by the VMware team. The details of these vulnerabilities are as below.
- The CVE-2020-4004 is a critical use-after-free vulnerability in the XHCI USB regulator. Attackers with local administrative privileges on a virtual machine can execute code as the VMX of the virtual machine is running on the host. Multiple versions of ESXi are affected by this vulnerability. Besides them, VMware Workstation Player (desktop hypervisor application), VMware Cloud Foundation (ESXi) and VMware Fusion (Mac virtualization solution) are also affected.
- CVE-2020-4005 is an important VMX elevation-of-privilege vulnerability. It affects the ESXi and VMware Cloud Foundation. To exploit this vulnerability, the attackers require privileges in the VMX process. They can easily escalate their privilege within the affected system with this vulnerability.
Though majorly the patches for these vulnerabilities have been made available, the ones required for Cloud Foundation are still pending. The company has released an updated advisory that can guide the users as to the need for the update. Users are urged to refer to it to install the update.
Security updates for the SD-WAN Orchestrator vulnerabilities
Besides the patches for the aforementioned vulnerabilities, VMware has also released security updates for SD-WAN Orchestrator. These updates are relevant for both 3.x & 4.x supported branches of the orchestrator. SD-WAN Orchestrator is actually VMware’s enterprise solution that provides virtual services in the branch, the cloud or the enterprise data centre too.
The latest update has been able to fix six vulnerabilities in the system. These include some major vulnerabilities like –
- A directory traversal file execution flaw
- SQL injection vulnerabilities
- Predefined accounts’ passwords that may make the system vulnerable to a Pass-the-Hash attack
Even though, for the passwords, it is still majorly the administrators’ responsibility to change the preconfigured accounts’ default passwords on SD-WAN Orchestrator before production use.
Since, to exploit these vulnerabilities, the attacker must be authenticated, the vulnerabilities have not been deemed critical. These vulnerabilities were discovered and reported by the State Farm penetration test analysts Ariel Tempelhof of Realmode Labs, the other half by Christopher Schneider, Cory Billington and Nicholas Spagnola.
Fortunately, there have been no reports of these vulnerabilities being exploited in the wild. But the company has still urged the admins to upgrade their SD-WAN Orchestrator Installations to the latest version of 4.0.1, 3.4.4, or 3.3.2 P3.
Though these vulnerabilities were not easy to exploit, since they required the attackers to gain certain privileges, it is better that these vulnerabilities have been detected in due time. This gives the company an upper hand at dealing with potential cyber-attacks in the coming time. VMware has done an exceptional job at patching the vulnerabilities soon so that their users could have a seamless experience.