Netflix Launches Public Bug Bounty Program

Netflix announced on Wednesday the launch of a public bug bounty program with rewards of up to $15,000, and Dropbox has made some changes to its vulnerability disclosure policy, promising not to sue researchers.

Netflix has had a vulnerability disclosure policy for the past 5 years and a private bug bounty program since September 2016. The company has now decided to make its bug bounty initiative public through the Bugcrowd platform.

Its vulnerability disclosure policy and private bug bounty have helped Netflix patch 190 vulnerabilities. The private program started with 100 of Bugcrowd’s top researchers, but more than 700 white hat hackers were later invited in preparation for the public program.

Researchers can earn between $100 and $15,000 for flaws affecting one of several Netflix domains and the mobile applications for iOS and Android. The company claims the highest reward paid out to date is $15,000 for a critical security hole.

The types of vulnerabilities that can be submitted include cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, authentication and authorization, data exposure, remote code execution, redirection, business logic, MSL protocol, and mobile API issues. Netflix says it acknowledges vulnerability reports, on average, in less than 3 days.

“Engineers at Netflix have a high degree of ownership for the security of their products and this helps us address reports quickly,” Netflix said in a blog post. “Our security engineers also have the autonomy and freedom to make reward decisions quickly based on the reward matrix and bug severity. This ultimately helps create an efficient and seamless experience for researchers which is important for engagement in the program.”

Dropbox makes changes to vulnerability disclosure policy

Dropbox has not set a maximum amount of money that researchers can earn through its HackerOne-based bug bounty program. To date, the company has paid out more than $200,000 for over 220 vulnerabilities.

However, the changes made by the company are not related to bounty amounts and instead they focus on the vulnerability disclosure policy and assuring researchers that they will not get sued even if they accidentally violate terms of the program.

Several researchers have faced lawsuits recently over vulnerability disclosures, and Dropbox wants to help avoid such situations. The company has promised “to not initiate legal action for security research conducted pursuant to the policy, including good faith, accidental violations.”

Dropbox says it will allow researchers to publish the details of the vulnerabilities they find, and will not file Digital Millennium Copyright Act (DMCA) action against them as long as their activities are consistent with the company’s vulnerability disclosure policy.

The new policy includes a clear statement that research constitutes “authorized conduct” under the controversial Computer Fraud and Abuse Act (CFAA). Furthermore, as long as the researcher complies with Dropbox’s policy, the company will clearly state that their actions were authorized in case of a lawsuit initiated by a third party.

“We’re also happy to announce that all of the text in our VDP is a freely copyable template,” Dropbox said. “We’ve done this because we’d like to see others take a similar approach. We’ve put some effort in to this across our legal and security teams and if you like what you see, please use it.”

Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/d3dDmk60KMQ/netflix-launches-public-bug-bounty-program

Code Execution Flaws Found in ManageEngine Products

Researchers at cybersecurity technology and services provider Digital Defense have identified another round of vulnerabilities affecting products from Zoho-owned ManageEngine.

ManageEngine provides network, data center, desktop, mobile device, and security solutions to more than 40,000 customers, including three out of every five Fortune 500 company.

Earlier this year, Digital Defense reported finding several potentially serious flaws in ManageEngine’s ServiceDesk Plus help desk software, and on Wednesday the company disclosed the details of six additional security holes found by its researchers in ManageEngine Log360, EventLog Analyzer, and Applications Manager products.

The vulnerabilities have been described by Digital Defense as file upload, blind SQL injection, local file inclusion, and API key disclosure issues that can be exploited without authentication for arbitrary code execution and obtaining potentially sensitive information.

According to the security firm, the Log360 and EventLog Analyzer log management products are affected by an unauthenticated file upload vulnerability that can be exploited to upload a JavaServer Pages (JSP) web shell to the root directory. This is possible due to the fact that a file upload feature’s security checks can be easily bypassed.

The rest of the flaws discovered by Digital Defense researchers impact ManageEngine Applications Manager and many of them can be exploited for arbitrary code execution.

Experts have identified several blind SQL injection flaws that can be leveraged by unauthenticated attackers to execute arbitrary code with SYSTEM privileges and gain complete control of the targeted host.

The list of security holes also includes a local file inclusion issue that can be exploited to download files that may contain sensitive information.

Researchers also discovered that an attacker can obtain an Applications Manager user’s API key by sending a specially crafted GET request.

“Depending on the privilege level of the compromised user, this could result in full compromise of both the Applications Manager web application and the host running it,” Digital Defense warned.

The vulnerabilities were reported to ManageEngine on February 12 and fixes were developed a few weeks later. Patches were made available to customers on March 7.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/yB5oEEMUTqQ/code-execution-flaws-found-manageengine-products

Siemens Patches Flaws in SIMATIC Controllers, Mobile Apps

German industrial giant Siemens has released security patches for several of its SIMATIC products, including some controllers and a mobile application.

Organizations using SIMATIC products were informed by both Siemens and ICS-CERT this week of a denial-of-service (DoS) vulnerability that can be exploited by sending specially crafted PROFINET DCP packets to affected systems.

The flaw, tracked as CVE-2018-4843 and classified as medium severity, can be exploited by an attacker who has access to the network housing the targeted device. While DoS vulnerabilities are generally seen as less severe compared to code execution and other types of flaws, in the case of industrial control systems (ICS), they can have serious impact.

The security hole affects several SIMATIC central processing units (CPUs) and software controllers, SINUMERIK CNC automation solutions, and Softnet PROFINET IO controllers. Siemens has released patches for some of the impacted systems, and provided workarounds and mitigations for the rest.

Learn More at SecurityWeek’s ICS Cyber Security Conference

Siemens also informed customers on Tuesday of an access control vulnerability affecting the Android and iOS versions of its SIMATIC WinCC OA UI mobile application. This app is designed to allow users to remotely access WinCC OA facilities from their mobile devices.

“The latest update for the Android app and iOS app SIMATIC WinCC OA UI fix a security vulnerability which could allow read and write access from one HMI project cache folder to other HMI project cache folders within the app’s sandbox on the same mobile device,” Siemens wrote in its advisory.

“This includes HMI project cache folders of other configured WinCC OA servers. Precondition for this scenario is that an attacker tricks an app user to connect to an attacker-controlled WinCC OA server,” it added.

The SIMATIC WinCC OA UI application vulnerability was discovered by experts at IOActive and Embedi as part of their research into SCADA mobile apps. They analyzed applications from 34 vendors and found security holes in a vast majority of them.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/St5f_O1dcIg/siemens-patches-flaws-simatic-controllers-mobile-apps

AMD Says Patches Coming Soon for Chip Vulnerabilities

AMD Chip Vulnerabilities to be Addressed Through BIOS Updates – No Performance Impact Expected

After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) on Tuesday said patches are coming to address several security flaws in its chips.

In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

Vulnerabilities found in Ryzen and other AMD processors

CTS Labs, which was unheard of until last week, came under fire shortly after its disclosure for giving AMD only a 24-hour notice before going public with its findings, and for apparently attempting to short AMD stock. The company later made some clarifications regarding the flaws and its disclosure method.

CTS Labs claimed that a number of vulnerabilities could be exploited for arbitrary code execution, bypassing security features, stealing data, helping malware become resilient against security products, and damaging hardware.

“AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations,” the chipmaker wrote in an update on Tuesday. “It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings.”

AMD said that patches will be released through BIOS updates to address the flaws, which have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA. The company said that no performance impact is expected for any of the forthcoming mitigations.

AMD attempted to downplay the risks, saying that any attacker gaining administrative access could have a wide range of attacks at their disposal “well beyond the exploits identified in this research.”

“Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues,” the notice continued.

AMD also linked to a blog post from Trail of Bits, which was the first to independently review the findings from CTS. The company, which has been paid for its services, confirmed that the proof-of-concept (PoC) exploits developed by CTS Labs work as intended, but believes that there is “no immediate risk of exploitation of these vulnerabilities for most users.”

“Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers,” Trail of Bits added.

Check Point has also confirmed two of the RYZENFALL vulnerabilities following its own review. The security firm says it does not have any relationship with CTS Labs and it has not received any payment for its services. It also noted that it does not agree with the way CTS disclosed its findings, describing it as “very irresponsible.”

Alex Ionescu, a reputable researcher and Windows security expert, also confirmed the findings and warned that “admin-level access and persistence are legitimate threats in multi-tenant IaaS and even things such as VTL0/1 (Credential Guard) when firmware and chipset trust boundaries are broken.”

“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings,” AMD stated last week.

Some have compared the recent AMD vulnerabilities to Meltdown and Spectre, which impact CPUs from Intel, AMD, ARM and others. However, some argued that the issues disclosed by CTS Labs are nowhere near as severe due to the fact that they mostly impact AMD’s Secure Processor technology rather than the hardware itself.

AMD did not provide specific dates that patches are expected to be released, but said it would provide additional updates on both its analysis of the issues and the related mitigation plans in the coming weeks.

Eduard Kovacs contributed to this report

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Previous Columns by Mike Lennon:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/26J4jdC4sTI/amd-says-patches-coming-soon-chip-vulnerabilities

Oil and Gas Sector in Middle East Hit by Serious Security Incidents

Many oil and gas companies in the Middle East reported suffering at least one serious security incident in the past year, according to a study conducted by Ponemon Institute on behalf of German industrial giant Siemens.

Nearly 200 individuals responsible for overseeing cybersecurity risk in oil and gas companies in the Middle East have taken part in the study and the results show that many organizations are unprepared to address the risks faced by their operational technology (OT) networks.

According to Siemens, three-quarters of respondents said their organizations had suffered at least one security incident that resulted in disruption to operations in their OT environment or loss of confidential information in the past 12 months. Eleven percent of respondents said they had experienced more than 10 OT network intrusions, and nearly half believe they may not be aware of all breaches. Oil and gas industry in Middle East not prepared for cyberattacks

Roughly two-thirds of the individuals who took part in the survey believe the risk of attacks on industrial control systems (ICS) has increased considerably over the past few years, and 60 percent say there is a greater risk to OT environments compared to IT.

Outdated and ageing control systems pose a serious risk, according to 42 percent of respondents. The areas most at risk in Middle Eastern oil and gas companies are believed to be exploratory information, production information, potential partners, financial and organizational reports, operational data, information on drilling sites, and field production data collected by sensors.

While insider threats are the main concern, only 21 percent of respondents are concerned about malicious insiders, while 68 percent are more worried about the cybersecurity impact of careless employees.

Learn More at SecurityWeek’s ICS Cyber Security Conference

Companies appear aware of the risks, but many of them are not prepared to deal with them. Less than half of respondents say they continually monitor their entire infrastructure, and only a quarter are confident in their ability to address security risks and allocate the resources necessary for addressing them. On average, companies have allocated only a third of their cybersecurity budget to protecting OT environments, the report shows.

Siemens says many organizations are still attempting to air gap their ICS environments in an effort to mitigate threats, but only 39 percent plan on hardening endpoints, and 20 percent plan on adopting analytics solutions over the next year.

Cyberattacks on oil and gas and petrochemical companies can have a devastating impact. Researchers discovered recently a piece of malware that leveraged a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS). The attack is said to have targeted a petrochemical company in Saudi Arabia and one of the main suspects is Iran. According to some reports, the attackers may have been trying to trigger a deadly explosion at the targeted plant.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/DQ0koEjje0I/oil-and-gas-sector-middle-east-hit-serious-security-incidents

AMD Chip Flaws Confirmed by More Researchers

Another cybersecurity firm has independently confirmed some of the AMD processor vulnerabilities discovered by Israel-based CTS Labs, but the controversial disclosure has not had a significant impact on the value of the chip giant’s stock.

CTS Labs last week published a brief description of 13 allegedly critical vulnerabilities and backdoors found in EPYC and Ryzen processors from AMD. The company says the flaws can be exploited for arbitrary code execution, bypassing security features (e.g. Windows Defender Credential Guard, Secure Boot), stealing data, helping malware become resilient against security products, and damaging hardware.

The flaws have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA, and exploiting them requires elevated privileges to the targeted machine — physical access is not required. The security firm will not disclose technical details any time soon in order to prevent abuse.

CTS Labs, which no one heard of until last week, came under fire shortly after its disclosure for giving AMD only a 24-hour notice before going public with its findings, and for apparently attempting to short AMD stock. The company later made some clarifications regarding the flaws and its disclosure method.

While initially many doubted CTS Labs’ claims due to the lack of technical information, an increasing number of independent researchers have confirmed that the vulnerabilities do in fact exist. Nevertheless, there are still many industry professionals who believe their severity has been greatly exaggerated.

Trail of Bits was the first to independently review the findings. The company, which has been paid for its services, has confirmed that the proof-of-concept (PoC) exploits developed by CTS Labs work as intended, but believes that there is “no immediate risk of exploitation of these vulnerabilities for most users.”

On Monday, Check Point also confirmed two of the RYZENFALL vulnerabilities following its own review. The security firm says it does not have any relationship with CTS Labs and it has not received any payment for its services. It also noted that it does not agree with the way CTS disclosed its findings, describing it as “very irresponsible.”

“In our opinion the original CTS Labs report might have been problematically phrased in a way that misrepresented the threat model and impact that the RYZENFALL-1 and RYZENFALL-3 vulnerabilities present,” Check Point said in a blog post. “However, problematic phrasing aside, after inspecting the technical details of the above, we can indeed verify that these are valid vulnerabilities and the risks they pose should be taken under consideration.”

AMD is investigating the claims, but it has yet to make any statement regarding the impact of the flaws.

Less than an hour after CTS Labs released its report, a controversial company named Viceroy Research published what it described as an “obituary” in hopes of leveraging the findings to short AMD stock. Since CTS’s report also included a disclaimer noting that the company had a financial interest, many assumed the two were working together to short AMD.

While CTS has avoided answering questions regarding its financial interests, Viceroy representatives told Vice’s Motherboard that the company obtained the report describing the vulnerabilities from an “anonymous tipster” and claimed to have no connection to the security firm.

Viceroy’s attempt has had an insignificant impact on AMD stock and experts doubt the situation will change. This is not actually surprising considering that Intel was hit the hardest by Meltdown and Spectre — critical vulnerabilities disclosed by reputable researchers — and still the impact on the company’s stock has been only minor and temporary.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/rNHBlCgIwP0/amd-chip-flaws-confirmed-more-researchers

Russian Cyberspies Hacked Routers in Energy Sector Attacks

A cyberespionage group believed to be operating out of Russia hijacked a Cisco router and abused it to obtain credentials that were later leveraged in attacks targeting energy companies in the United Kingdom, endpoint security firm Cylance reported on Friday.

The United States last week announced sanctions against Russian spy agencies and more than a dozen individuals for trying to influence the 2016 presidential election and launching cyberattacks, including the NotPetya attack and campaigns targeting energy firms. Shortly after, US-CERT updated an alert from the DHS and FBI to officially accuse the Russian government of being responsible for critical infrastructure attacks launched by a threat actor tracked as Dragonfly, Crouching Yeti and Energetic Bear.

A warning issued last year by the UK’s National Cyber Security Centre (NCSC) revealed that hackers had targeted the country’s energy sector, abusing the Server Message Block (SMB) protocol and attempting to harvest victims’ passwords.

An investigation conducted by Cylance showed that the attacks were likely carried out by the Dragonfly group. The security firm has observed a series of phishing attacks aimed at the energy sector in the UK using two documents claiming to be resumes belonging to one Jacob Morrison.

When opened, the documents fetched a template file and attempted to automatically authenticate to a remote SMB server controlled by the attackers. This template injection technique was detailed last year by Cisco Talos following Dragonfly attacks on critical infrastructure organizations in the United States.

When a malicious document is opened using Microsoft Word, it loads a template file from the attacker’s SMB server. When the targeted device connects to the SMB server, it will attempt to authenticate using the current Windows user’s domain credentials, basically handing them over to the attackers.

In a separate analysis of such attacks, Cylance noted that while the credentials will in most cases be encrypted, even an unsophisticated attacker will be able to recover them in a few hours or days, depending on their resources.

According to Cylance, Dragonfly used this technique to harvest credentials that were later likely used to hack the systems of energy sector organizations in the United Kingdom.

One interesting aspect noticed by Cylance researchers is that the IP address of the SMB server used in the template injection attack was associated with a major state-owned energy conglomerate in Vietnam. Specifically, the IP corresponded to a core Cisco router that had reached end-of-life.

“The use of compromised routing infrastructure for collection or command and control purposes is not new, but its detection is relatively rare,” Cylance researchers explained. “That’s because the compromise of a router very likely implicates the router’s firmware and there simply aren’t as many tools available to the forensic investigator to investigate them. Analysis is further challenged by the lack of system logs.”

“The fact that the threat actor is using this type of infrastructure is a serious and worrisome discovery, since once exploited, vulnerabilities in core infrastructure like routers are not easily closed or remediated,” they added.

Dragonfly is not the only cyberespionage group to abuse routers in its attacks. A threat actor named Slingshot, whose members appear to speak English, has targeted entities in the Middle East and Africa using hacked Mikrotik routers.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/L7ZoccaUHp8/russian-cyberspies-hacked-routers-energy-sector-attacks

Cisco Meraki Offers Up to $10,000 in Bug Bounty Program

Cisco Meraki, a provider of cloud-managed IT solutions, announced last week the launch of a public bug bounty program with rewards of up to $10,000 per vulnerability.

Cisco Meraki, which resulted from Cisco’s acquisition of Meraki in late 2012, started with a private bug bounty program on the Bugcrowd platform. The private program led to the discovery of 39 flaws, for which the company paid out an average of roughly $1,100.

The firm has now decided to open its bug bounty program to all the white hat hackers on Bugcrowd and it’s prepared to pay them between $100 and $10,000 per flaw. Cisco Meraki

The initiative covers the meraki.com, ikarem.io, meraki.cisco.com and network-auth.com domains and some of their subdomains, the Meraki Dashboard mobile apps for Android and iOS, and products such as the Cisco Meraki MX Security Appliances, Meraki MS Switches, MR Access Points, MV Security Cameras, MC Phones, Systems Manager, and Virtual Security Appliances.

The highest rewards can be earned for serious vulnerabilities in websites (except meraki.cisco.com), and all hardware and software products. Researchers can receive between $6,000 and $10,000 for remote code execution, root logic, sensitive information disclosure, and device configuration hijacking issues.

There is a long list of security issues that are not covered by the program, including denial-of-service (DoS) attacks, SSL-related problems and ones that require man-in-the-middle (MitM) access, clickjacking, and classic self-XSS.

“We invest heavily in tools, processes and technologies to keep our users and their networks safe, including third party audits, features like two-factor authentication and our out-of-band cloud management architecture,” said Sean Rhea, engineering director at Cisco Meraki. “The Cisco Meraki vulnerability rewards program is an important component of our security strategy, encouraging external researchers to collaborate with our security team to help keep networks safe.”

Meraki says its wireless, switching, security, and communications products are used by more than 230,000 global customers for 3 million devices.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/CHq70ukCADg/cisco-meraki-offers-10000-bug-bounty-program

GitHub Paid $166,000 in Bug Bounties in 2017

Git repository hosting service GitHub paid a total of $166,495 in rewards in 2017 to security researchers reporting vulnerabilities as part of its four year old bug bounty program.

Total payouts more than doubled compared to the $81,700 paid in 2016 and were nearly equal to the total bounties paid during the first three years of the program: $177,000. During the first two years of the program, the company paid $95,300 in bug bounties.

Throughout the year, the company received a total of 840 submissions to the program, but resolved and rewarded only 121 of them (15%). In 2016, GitHub rewarded 73 of the 795 valid reports it received, with only 48 submissions being deemed high enough to appear on bug bounty program’s page.

The number of valid reports fueled the increase in total payouts and also resulted in GitHub re-evaluating its payout structure in October 2017. Thus, the bug bounties were doubled, with the minimum and maximum payouts now at $555 and $20,000.

With the program continuously growing participation by researchers, program initiatives, and the rewards paid out, 2017 proved the biggest year yet, GitHub’s Greg Ose points out.

Last year, the company also announced the introduction of GitHub Enterprise to the bug bounty program, allowing researchers to find vulnerabilities in areas that may not be exposed on GitHub.com or which are specific to enterprise deployments.

“In the beginning of 2017, a number of reports impacting our enterprise authentication methods prompted us to not only focus on this internally, but also identify how we could engage researchers to focus on this functionality,” Ose notes.

He also says GitHub has launched its first researcher grant, an initiative the company has been long focused on. This effort involves paying “a fixed amount to a researcher to dig into a specific feature or area of the application.” Any discovered vulnerability would also be rewarded through the Bug Bounty program.

Last year, GitHub also rolled out private bug bounties, which allowed it to limit the impact of vulnerabilities in production. The company also rolled out internal improvements to the program, to more efficiently triage and remediate submissions and plans on refining the process in 2018 as well.

GitHub is looking to expand the initiatives that proved successful in 2017, launching more private bounties and research grants to gain focus on various features before and after they publicly launch. The company also plans additional promotions later this year.

“Given the program’s success, we’re also looking to see how we can expand its scope to help secure our production services and protect GitHub’s ecosystem. We’re excited for what’s next and look forward to triaging and fixing your submissions this year,” Ose concludes.

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/pUJFzkRw0no/github-paid-166000-bug-bounties-2017

VMware Patches DoS Vulnerability in Workstation, Fusion

VMware informed customers on Thursday that it has patched a denial-of-service (DoS) vulnerability in its Workstation and Fusion products. Details of the flaw and proof-of-concept code have been made public.

In its advisory, VMware said the vulnerability affects Workstation 12.x and 14.x on all platforms, and Fusion 8.x and 10.x on OS X. Patches are included in Workstation 14.1.1 and Fusion 10.1.1. A workaround that involves setting a password for the VNC connection can be applied to Workstation 12.x and Fusion 8.x releases.

The flaw, tracked as CVE-2018-6957, was discovered by Lilith Wyatt of Cisco Talos. VMware says it can be exploited to cause a DoS condition by opening a large number of VNC sessions. VNC, which is used in VMware products for remote management and automation purposes, must be manually enabled for the exploit to work.

While VMware has classified the vulnerability as “important,” Cisco Talos has assigned it a CVSS score of 7.5, which puts it in the “high severity” category.

In its own advisory, Cisco said an attacker can trigger an exception on a targeted server and cause the virtual machine to shut down by initiating numerous VNC sessions.

“Since the VMware VNC server is naturally multi-threaded, there are locks and semaphores and mutexes to deal with shared variables. The VNC server also maintains a global variable that indicates the amount of locks that are currently used, that is incremented by certain events,” Talos explained.

The code uses a variable to count the locks and ensure that their number is not too high. Wyatt discovered that each TCP connection to the VNC increments this variable twice, and initiating a large number of connections will eventually lead to a DoS condition and a shutdown of the VM. Cisco’s advisory includes a one-line PoC exploit.

VMware sponsored the recent Pwn2Own 2018 hacking competition and offered up to $70,000 for VMware Workstation exploits. However, none of the contestants targeted the company’s products. At last year’s event, white hat hackers did disclose exploits that included VMware virtual machine escapes.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/iOIWPibQVnw/vmware-patches-dos-vulnerability-workstation-fusion