iTnews

Virtual graphics cards create critical VMware risk

By Simon Sharwood on Oct 17, 2018 10:09AM
Virtual graphics cards create critical VMware risk

Guest-host escape on vSphere and desktop hypervisors.

VMware has revealed a critical-rated bug that impacts its core vSphere platform.

VMSA-2018-0026 allows virtualization’s worst-case scenario: a guest VM escaping the hypervisor to run code on the host machine.

The cause of the bug is an “Out-of-bounds read vulnerability” in SVGA Device, the virtual graphics card that the ESXi hypervisor uses to drive video on virtual machines.

The bug impacts older versions of VMware’s Workstation and Fusion desktop hypervisors. Both are commonly used by developers for test work and may touch live VMs. But as the desktop hypervisors typically run a PC and can’t reach too deep into a data centre, VMware users will probably prioritise patching ESXi 6.0 through 6.7, as that’s core data centre infrastructure.

The good news is that patches are already available for versions 6.0, 6.5 and 6.7, at the link above.

Trend Micro's Zero Day Initiative and an anonymous researcher discovered the bug, which is also known as CVE-2018-6974.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
security svga virtualisation vmware

Partner Content

What is zero trust cybersecurity?
Partner Content What is zero trust cybersecurity?
What conversations should executives be having about cyber security?
Partner Content What conversations should executives be having about cyber security?
Improving returns from SD-WAN spending
Partner Content Improving returns from SD-WAN spending
Resetting cyber security for the new threat landscape
Partner Content Resetting cyber security for the new threat landscape

Sponsored Whitepapers

Encryption: Protect your most critical data
Encryption: Protect your most critical data
Overcoming data security challenges in a hybrid, multicloud world
Overcoming data security challenges in a hybrid, multicloud world
Move beyond passwords
Move beyond passwords
The top 5 tech trends to deliver business outcomes
The top 5 tech trends to deliver business outcomes
10 reasons why businesses need to invest in cloud security training
10 reasons why businesses need to invest in cloud security training

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
By Simon Sharwood
Oct 17 2018
10:09AM
0 Comments

Related Articles

  • Critical remote code execution bug found in VMware vCenter
  • Urgent patches out for exploited Exchange Server zero-days
  • Oxfam Australia confirms 'supporter' data accessed in cyber attack
  • Chinese hackers targeted Indian vaccine makers SII, Bharat Biotech
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

TPG Telecom to start enticing NBN customers to move

TPG Telecom to start enticing NBN customers to move

Infosys scores another $40m for Centrelink payments engine build

Infosys scores another $40m for Centrelink payments engine build

Telstra InfraCo opens up telco's own fibre network

Telstra InfraCo opens up telco's own fibre network

Transport for NSW data stolen in Accellion breach

Transport for NSW data stolen in Accellion breach

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.