VMware patches several vulnerabilities in its products
VMware has issued updates to fix several security related issues in it's Workstation, Player, ACE, Server, ESX and ESXi virtualisation products. One of the fixes resolves a vulnerability in a guest virtual device driver that could allow a guest operating system to crash the host. According to the report, a similar denial of service vulnerability was also found in the
hcmon.sys driver in Windows.
A bug in
vmware-authd.exe that could result in a denial of service condition on Windows hosts has been resolved.
An exploit on Windows-based systems that could allow for privilege escalation due to a vulnerability found in a Virtual Machine Communication Interface (VMCI) file has been fixed. The current versions of ESX are not affected as they do not support VMCI.
Two vulnerabilities in the VNnc Codec have been patched preventing heap overflows that allowed an attacker to run arbitrary code on a host system. For an attack to be successful, a user must first open a specially crafted malicious VNnc file or visit a malicious web page.
An issue has been addressed that allowed a password to be read from the memory of a VI client after a user logged into a VirtualCenter Server.
A VMware ACE shared folders vulnerability has been fixed that allowed non-ACE Administrators to re-enable shared folders that were disabled.
Links to updates for each version are available in the original bug report from the VMware.
- VMSA-2009-0005 VMware Hosted products, VI Client and patches for ESX and ESXi resolve multiple security issues, advisory from VMware.