<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:8pt;color:#000000;font-family:'Courier New',monospace;" dir="ltr">
<div>-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
- -----------------------------------------------------------------------<br>
VMware Security Advisory<br>
<br>
Advisory ID: VMSA-2018-0025<br>
Severity: Important<br>
Synopsis: VMware ESXi, Workstation, and Fusion workarounds address a<br>
denial-of-service vulnerability<br>
Issue date: 2018-10-09<br>
Updated on: 2018-10-09 (Initial Advisory)<br>
CVE number: CVE-2018-6977<br>
<br>
1. Summary<br>
<br>
VMware ESXi, Workstation, and Fusion workarounds address a denial-of<br>
-service vulnerability<br>
<br>
2. Relevant Products<br>
<br>
VMware vSphere ESXi (ESXi) <br>
VMware Workstation Pro / Player (Workstation)<br>
VMware Fusion Pro / Fusion (Fusion)<br>
<br>
3. Problem Description<br>
<br>
Denial-of-service vulnerability in 3D-acceleration feature<br>
<br>
VMware ESXi, Workstation and Fusion contain a denial-of-service<br>
vulnerability due to an infinite loop in a 3D-rendering shader.<br>
Successfully exploiting this issue may allow an attacker with normal<br>
user privileges in the guest to make the VM unresponsive, and in<br>
some cases, possibly result other VMs on the host or the host<br>
itself becoming unresponsive.<br>
<br>
Because many graphics API's and hardware lack pre-emption support, a<br>
specially crafted 3D shader may loop for an infinite amount of time<br>
and lock up a VM's virtual graphics device. Such a shader cannot<br>
always be validated by VMware hypervisors, since it may be well-<br>
formed but still cause problems if designed to run for an extremely<br>
long time. In such cases, VMware hypervisors then rely on the host's<br>
graphics driver to ensure that other users of 3D graphics on the<br>
host are not impacted by the malicious VM. However, many graphics<br>
drivers may themselves get into to a denial-of-service condition<br>
caused by such infinite shaders, and as a result other VMs or<br>
processes running on the host might also be affected.<br>
<br>
The workaround for this issue requires disabling the 3D-acceleration<br>
feature as documented in the Mitigation/Workaround column of the<br>
below table.<br>
<br>
The issue can only be exploited if 3D-acceleration feature is<br>
enabled. It is not enabled by default on ESXi and is enabled by<br>
default on Workstation and Fusion. The 3D-acceleration settings can<br>
be reviewed as follows.<br>
<br>
ESXi<br>
With Host Client or vCenter, go to the individual VM > configure ><br>
hardware > video card > 3D Graphics --> Check if "3D Graphics" is<br>
enabled.<br>
OR <br>
Go to individual VMX file and then check for "mks.enable3d"<br>
if the VMs have the option "mks.enable3d=TRUE", then 3D-acceleration<br>
feature is enabled<br>
<br>
Workstation<br>
- Select virtual machine and select VM > Settings.<br>
- On the Hardware tab, select Display<br>
If the "Accelerate 3D graphics" is checked then 3D-acceleration<br>
feature is enabled.<br>
<br>
Fusion<br>
-From the VMware Fusion menu bar, select Window > Virtual Machine<br>
Library.<br>
-Select a virtual machine and click Settings.<br>
-In the Settings Window > select Display.<br>
If the "Accelerate 3D graphics" is checked then 3D-acceleration<br>
feature is enabled.<br>
<br>
VMware would like to thank Piotr Bania of Cisco Talos for reporting<br>
this issue to us.<br>
<br>
The Common Vulnerabilities and Exposures project (cve.mitre.org) has<br>
assigned the identifier CVE-2018-6977 to this issue.<br>
<br>
Column 5 of the following table lists the action required to<br>
remediate the vulnerability in each release, if a solution is<br>
available.<br>
<br>
VMware Product Running Replace with/ Mitigation/<br>
Product Version on Severity Apply patch* Workaround<br>
============= ======= ======= ========= ============== ==========<br>
ESXi Any Any Important n/a See references<br>
Workstation Any Any Important n/a KB59146<br>
Fusion Any OS X Important n/a KB59146 <br>
<br>
*There is no patch for this issue, customers must review their risk<br>
and apply the workarounds if applicable. <br>
<br>
4. Solution<br>
<br>
Please see the above table for Mitigation/Workaround.<br>
<br>
5. References<br>
<br>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6977<br>
https://kb.vmware.com/s/article/59146<br>
<br>
https://www.vmware.com/in/security/hardening-guides.html<br>
Item 34, vm.disable-non-essential-3D-features of the vSphere<br>
Security Configuration Guide for 6.5 Update 1<br>
- -----------------------------------------------------------------------<br>
<br>
6. Change log<br>
<br>
VMSA-2018-0024 2018-10-09<br>
Initial security advisory documenting workarounds for VMware ESXi,<br>
Workstation and Fusion on 2018-10-09.<br>
<br>
- -----------------------------------------------------------------------<br>
7. Contact<br>
<br>
E-mail list for product security notifications and announcements:<br>
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce<br>
<br>
This Security Advisory is posted to the following lists:<br>
<br>
security-announce@lists.vmware.com<br>
bugtraq@securityfocus.com<br>
fulldisclosure@seclists.org<br>
<br>
E-mail: security@vmware.com<br>
PGP key at: https://kb.vmware.com/kb/1055<br>
<br>
VMware Security Advisories<br>
http://www.vmware.com/security/advisories<br>
<br>
VMware Security Response Policy<br>
https://www.vmware.com/support/policies/security_response.html<br>
<br>
VMware Lifecycle Support Phases<br>
https://www.vmware.com/support/policies/lifecycle.html<br>
<br>
VMware Security & Compliance Blog<br>
https://blogs.vmware.com/security<br>
<br>
Twitter<br>
https://twitter.com/VMwareSRC<br>
<br>
Copyright 2018 VMware Inc. All rights reserved.<br>
<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: Encryption Desktop 10.4.1 (Build 490)<br>
Charset: utf-8<br>
<br>
wj8DBQFbvOUPDEcm8Vbi9kMRAr9BAJ4sSTskoV/8v6knyUJVlYeqvuLqRQCfSTea<br>
RnDV6NTDvq2pb15l4viSgM8=<br>
=PUqC<br>
-----END PGP SIGNATURE-----<br>
<br>
</div>
<br>
</div>
</body>
</html>