/ Vmware

Two VM Escape flaws found in VMWare VMXNet3 Adapters

There was a fascinting VM escape bug demonstrated at GeekPwn2018. A VM escape is where it's possible to escape the confines of the VM and execute actions on the host. There is a video that can be seen on twitter that can be shown this in action here.


VMware ESXi, Fusion and Workstation contain uninitialized stack memory usage in the vmxnet3 virtual network adapter. This issue may allow a guest to execute code on the host. The issue is present if vmxnet3 is enabled. Non vmxnet3 virtual adapters are not affected by this issue.


The VMXNET3 adapter is the one recommend to use by VMware because it offers the best throughput of the all the adapter options. As such, it's likely in use on most virtual machines.


This vulnerability can only be used by someone who has access to the virtual machine, this becomes a bigger risk if your VM's are exposed to the internet.


A patch has been released for this vulnerability but it's only for ESXi 6.0 and above. If you run anything older then there is no patch for this bug.


VMware article on this issue https://www.vmware.com/security/advisories/VMSA-2018-0027.html

For some reason, CVE haven't posted the articles so I'll link to the awesome updates from tenable.

Gary Williams

Gary Williams

IT Person | Veeam Vanguard | VMware vExpert | Windows admin | Docker fan | Spiceworks moderator | keeper of 3 cats | Avid Tea fan

Read More