Broadcom alerts that attackers with limited access to a virtual machine can exploit a vulnerability affecting VMware Tools and trigger insecure file operations. The open-source implementation, open-vm-tools, is also affected.
Broadcom has released patches addressing the flaw affecting VMware Tools, a suite of utilities that enhance the performance and management of virtual machines (VMs) on the ESXi hypervisor.
“A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM,” the security advisory reads.
Only Windows and Linux versions 12.x.x and 11.x.x of VMware Tools are affected, and Broadcom urges users to apply the patches. There are no other workarounds.
The fixed VMware Tools version is labeled 12.5.2.
Broadcom said that Linux vendors will distribute the updates for users, and fixed versions may differ depending on the Linux distribution version and the distribution vendor.
The firm provided a patch to the open-vm-tools community so that it can be used to apply a security fix to previous open-vm-tools releases.
VMware has credited Sergey Bliznyuk of Positive Technologies for privately reporting this issue.
On Monday, Broadcom also alerted about an important (8.2 out of 10) vulnerability affecting VMware Aria Automation, VMware Cloud Foundation, and VMware Telco Cloud Platform. Patches are also available.
“A malicious actor may exploit this issue to steal the access token of a logged-in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL,” Broadcom said.
Your email address will not be published. Required fields are markedmarked