VMware has warned users about an "important" denial-of-service vuln in ESXi, Workstation and Fusion that hinges on a problem with 3D rendering.
The vuln (CVE-2018-6977) allows an attacker with normal local user privileges to trigger an infinite loop in a 3D-rendering shader. According to VMware, a "specially crafted 3D shader may loop for an infinite amount of time and lock up a VM's virtual graphics device".
If that happens, VMware warned, the hypervisor may rely on the host box's graphics driver to ensure other users of the physical machine are not impacted by the infinite graphical loop.
"However, many graphics drivers may themselves get into to a denial-of-service condition caused by such infinite shaders, and as a result other VMs or processes running on the host might also be affected," said VMware in a statement.
The bug was unearthed by Piotr Bania of Cisco Talos.
Successfully exploiting the bug would allow an attacker to make the VM unresponsive, and "in some cases, possibly result in other VMs on the host or the host itself becoming unresponsive", according to the CVE entry.
Luckily the workaround is straightforward: admins have been urged to disable the 3D acceleration features of the affected platforms. It is disabled by default on ESXi, though positive action is needed to nix it on Workstation and Fusion. There is, however, no patch to fix the problematic behaviour.
Detailed information is available on VMware's website. ®