This article is more than 1 year old
VMware patches, among other things, ESXi flaw that can be abused by miscreants on the network to hijack hosts
Adobe issues out-of-band patches, too, for Photoshop, Illustrator, InDesign, After Effects, etc
Sysadmins responsible for VMware deployments should test and apply the latest security updates for the software.
In an advisory published this morning, VMware revealed six vulnerabilities affecting its ESXi, Workstation, Fusion, Cloud Foundation, and NSX-T products.
CVE-2020-3992, which tops the list with a 9.8 out of 10 CVSS severity rating, is a use-after-free vuln in the ESXi hypervisor that can be exploited via the network to run malicious code on the target host.
The IT giant said: “A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.”
Cisco warns VMware code bug can leave hyperconverged tin ‘unrecoverable’READ MORE
The vulnerability was briefly explained by its discoverers at Trend Micro’s Zero Day Initiative, which warned that “authentication is not required to exploit this vulnerability.”
“The specific flaw exists within the processing of SLP messages," the ZDI team added. "The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the SLP daemon.”
Two of the other vulns affect Workstation (CVE-2020-3981 and CVE-2020-3982), which can be exploited by an admin user in a guest virtual machine to crash or disrupt the underlying host hypervisor.
NSX-T is also said to be vulnerable (CVE-2020-3993) to miscreant-in-the-middle attacks, allowing someone to "compromise the transport node," when the software downloads and installs packages.
The Netherlands’ National Cyber Security Centre reckoned that the potential damage caused through exploiting the vulns would be “medium.” ®
Speaking of security patches... Adobe has issued a bunch of emergency updates for its software on Windows and macOS that should be installed ASAP.
These fixes address code-execution holes in Illustrator, Animate, After Effects, Photoshop, Premiere Pro, and InDesign, which can presumably be exploited by tricking someone into opening a malicious document.
Other applications are patched, too, to close up privilege-escalation flaws and the like.