VMware fixes 2 data corruption bugs and VM to Host escape vulnerability!

Last couple of weeks were definitely busy for the VMware developers.

Not only they released vSphere 6.7 U1.

They were also busy fixing two critical data corruption bugs:

• when running VM snapshots on VMFS
• after disk extends using vSAN 6.6 and later

Another important fixed issue is VM escape possibility when using vmxnet3 network adapters.

Data Corruption

Virtual Machines running on an SEsparse snapshot may report guest data inconsistencies

Described in the VMware KB59216, affects versions since ESXi 5.5 where SEsparse snapshots were introduced.

Therefore everybody running VMFS6 and those with bigger than 2TB disks running on VMFS5.

Can by prevented by prevented by disabling “IO coalescing” for SEsparse.

Virtual Machines running on VMware vSAN 6.6 and later report guest data consistency concerns following a disk extend operation

“The sequence of the following operations might cause the issue:

1. vSAN initiates resynchronization to maintain data availability.
2. You expand a virtual machine disk (VMDK).
3. vSAN initiates another resync after the VMDK expansion.

The fix in this release prevents further data inconsistencies, but does not recover data.”

https://kb.vmware.com/s/article/58855

I want you to be especially careful with this one and to read VMware KB58715 carefully.
There is a special procedure recommended, including to contact VMware support first, which may help you to identify affected VMs.

Also instructions to workaround this with disabling ClomEnableInplaceExpansion, before you manage to update your vSAN clusters.

Virtual Machine to Host Escape!

Good thing it was patched so quickly after the demonstration. Affects only ESXi users using vmxnet3 virtual network adapters. Including VMware Workstation and Fusion users.

This was demonstrated at GeekPwn2018 by security researcher “f1yyy” of Chaitin Tech.
Apparently they were first in the world who publicly demonstrated root shell on the host from virtual machine.

#GeekPwn2018 Chaitin Tech security researcher f1yyy has escaped VMware EXSi and got root shell on the host for the first time in the world. After demonstrating it at GeekPwn 2018, f1yyy received the Best of Tech Award and was selected to the GeekPwn Hall of Fame.@GeekPwn pic.twitter.com/2Y2kYKaw4d

— Chaitin Tech (@ChaitinTech) October 31, 2018

VMware published advisory VMSA-2018-0027:

ESXi has uninitialized stack memory usage vulnerability in the vmxnet3 virtual network adapter that might allow a guest to execute code on the host. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2018-6981 and CVE-2018-6982 to this issue.

All of these critical bugs are fixed already. So lets plan for patching! I hope your data is safe!

The following two tabs change content below.

• Bio
• Latest Posts

Dusan Tekeljak

Dusan has over 8 years experience in the Virtualization field. Currently working as Senior VMware plarform Architect at one of the biggest retail bank in Slovakia. He has background in closely related technologies including server operating systems, networking and storage. Used to be a member of VMware Center of Excellence at IBM, co-author of several Redpapers. His main scope of work consists from designing and performance optimization of business critical virtualized solutions on vSphere, including, but not limited to Oracle WebLogic, MSSQL and others. He holds several IT industry leading certifications like VCAP-DCD, VCAP-DCA, MCITP and the others. Honored with #vExpert2015-2018 awards by VMware for his contribution to the community. Opinions are my own!

Latest posts by Dusan Tekeljak (see all)

• ESXi 6.7 U1 fixes: APD and VMCP is not triggered even when no paths can service I/Os - November 30, 2018
• Update manager error: hosts could not enter maintenance mode - November 19, 2018
• VMware fixes 2 data corruption bugs and VM to Host escape vulnerability! - November 19, 2018