Description:

VMware has published a security advisory to address an uninitialised stack memory vulnerability in the vmxnet3 virtual network adapter.

Affected Systems:

• VMware vSphere ESXi (ESXi) version 6.0, 6.5 and 6.7
• VMware Workstation version 14.x and 15.x
• VMware Fusion version 10.x and 11.x

Impact:

Successful exploitation of the vulnerabilities could lead to an information leak from host to guest, or allow a guest to execute code on the host.

Recommendation:

The product vendor has released new versions to address the issue at the following website:

• VMware vSphere ESXi (ESXi) version 6.0, 6.5 or 6.7
  https://my.vmware.com/group/vmware/patch
  
  
• VMware Workstation Pro 14.1.4, 15.0.1
  https://www.vmware.com/go/downloadworkstation
  
  
• VMware Workstation Player 14.1.4, 15.0.1
  https://www.vmware.com/go/downloadplayer
  
  
• VMware Fusion Pro/ Fusion 10.1.4, 11.0.1
  https://www.vmware.com/go/downloadfusion
  
  

System administrators may contact their product support vendors for the fixes and assistance.

More Information:

https://www.vmware.com/security/advisories/VMSA-2018-0027.html
https://www.hkcert.org/my_url/en/alert/18111201
https://www.us-cert.gov/ncas/current-activity/2018/11/09/VMware-Releases-Security-Updates
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6981
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6982