VMware has taken the unusual step of warning about an imminent security advisory after a Chinese team successfully popped its flagship product.
News of the crack came from Tianfu Cup, a hacking contest staged in China over the weekend and modelled on events like "Pwn2Own" where vendors allow teams to take down their wares under controlled conditions.
The targets for the competition included the iPhone 11 running the new iOS 14, and the big four browsers – Chrome, Safari, Firefox and Edge. Cup organisers said 11 of the attacks succeeded.
Many mature and hard targets have been pwned on this year’s contest. 11 out of 16 targets cracked with 23 successful demos:— TianfuCup (@TianfuCup) November 8, 2020
Chrome, Safari, FireFox
Adobe PDF Reader
Docker-CE, VMware EXSi, Qemu, CentOS 8
iPhone 11 Pro+iOS 14, GalaxyS20
Windows 10 2004
TP-Link, ASUS Router
And that's a little scary because the challenge for ESXi, Qemu and Docker was to get control of the host OS.
The good news is that details of the cracks have not been released. So while VMware has admitted flaw-probers' attempts on ESXi were "successful", it should be able to get its patch done before the flaw is actually exploited.
If it gets the remediation right, that is: the company last week updated a patch for a critical-rated flaw that allowed a malicious actor residing in the management network who has access to port 427 on an ESXi machine to conduct remote code execution. The first patch did not fix the problem and has been suggested as the cause of a Brazilian ransomware attack.
Other vendors and projects whose code was combed for exploitable flaws at the competition appear not to have publicly acknowledged the issue at the time of writing. ®