VMware patches serious vulnerabilities in ESXi hypervisor, SD-WAN Orchestrator

VMware has patched critical vulnerabilities affecting its ESXi enterprise-class hypervisor and has released a security update for its SD-WAN Orchestrator, plugging a handful of serious security holes.

vulnerabilities ESXi hypervisor

Vulnerabilities in ESXi hypervisor exploited during a hacking competition

During the Tianfu Cup Pwn Contest that was held in Chengdu, China, earlier this month, Xiao Wei and Tianwen Tang, two researchers from the Qihoo 360 Vulcan Team, exploited two previously unknown vulnerabilities to thoroughly compromise VMWare’s ESXi hypervisor:

  • CVE-2020-4004, deemed “critical”, is a use-after-free vulnerability in XHCI USB controller that can be used by attackers with local administrative privileges on a virtual machine to execute code as the virtual machine’s VMX process running on the host
  • CVE-2020-4005, deemed “important”, is a VMX elevation-of-privilege vulnerability that can be used by attackers with privileges within the VMX process to escalate their privileges on the affected system

CVE-2020-4004 affects various versions of ESXi, but also VMware Fusion (Mac virtualization solution), VMware Workstation Player (desktop hypervisor application) and VMware Cloud Foundation (ESXi). CVE-2020-4005 affects ESXi and VMware Cloud Foundation. Most patches are already available, but those for Cloud Foundation are still pending.

Users are advised to peruse this advisory and see whether they should update their installations.

VMware SD-WAN Orchestrator vulnerabilities

VMware has also released security updates for both supported branches (3.x and 4.x) of SD-WAN Orchestrator, its enterprise solution for provisioning virtual services in the branch, the cloud, or the enterprise data center.

They fix six vulnerabilities, including SQL injection vulnerabilities, a directory traversal file execution flaw, and default passwords for predefined accounts which may lead to to a Pass-the-Hash attack. In that last instance, the update does nothing – it’s on administrators to change the default passwords of the preconfigured accounts on SD-WAN Orchestrator before production use.

The vulnerabilities are not deemed to be critical, as attackers need to be authenticated in order to exploit them.

Nevertheless, admins have been advised to upgrade their SD-WAN Orchestrator installations to version 4.0.1, 3.4.4, or 3.3.2 P3.

Half of the vulnerabilities have been discovered and reported by Ariel Tempelhof of Realmode Labs, the other half by Christopher Schneider, Cory Billington and Nicholas Spagnola, penetration test analysts at State Farm.

There are currently no reports of these vulnerabilities being exploited in the wild.

Mozilla patches actively exploited Firefox zero-day

Mozilla has patched a Firefox zero-day vulnerability (CVE-2019-17026) that is being exploited in attacks in the wild and is urging Firefox and Firefox ESR users to update their installations as soon as possible.


About CVE-2019-17026

A day after Mozilla released Firefox 72 – which blocks fingerprinting scripts by default for all users, replaces annoying notification request pop-ups from various sites with a speech bubble in the address bar, and fixes a number of security issues – the corporation pushed out Firefox 72.0.1 (and Firefox ESR 68.4.1) with a fix for CVE-2019-17026, a type confusion vulnerability in IonMonkey, the JavaScript Just-In-Time (JIT) compiler for Mozilla’s JavaScript engine (SpiderMonkey).

According to the accompanying security advisory, the vulnerability was flagged by researchers with Chinese internet security company Qihoo 360 and is being actively abused by attackers.

That’s the extent of the information that’s currently available regarding this flaw, although, according to Catalin Cimpanu, the company let it slip that there is an accompanying Internet Explorer zero-day abused in these ongoing attacks.

Previous zero-days and attacks

The last Firefox zero-day before this one was plugged in June 2019. In fact, there were two: CVE-2019-11707 (also a type confusion flaw) and CVE-2019-11708 (a sandbox escape). Together they were used (unsuccessfully) against Coinbase employees.

Whether this latest flaw is being used for a similar purpose or for an alternative one (e.g., de-anonymization of Tor Browser users) is unknown.

Whatever the case, the Tor Project has announced they will be releasing a new version of the Tor Browser to implement Mozilla’s fix “soon”.