VMware addresses ESXi issue disclosed at the Tianfu Cup hacking competition

VMware has addressed a critical remote code execution vulnerability in ESXi that was disclosed recently at the Tianfu Cup hacking competition.

This week VMware has released security updates that fix a critical remote code execution vulnerability in ESXi that was recently disclosed by white hat hackers at the Tianfu Cup hacking competition in China.

The Tianfu Cup 2019 International Cyber ​​Security Competition took place in November, white hat hackers that participated into the competition have earned $545,000 for working zero-day exploits.

Researcher @xiaowei from the 360Vulcan team received the highest reward ($200,000) for a working exploit for the VMware vSphere ESXi product that allowed them to escape from the guest virtual machine to the host. The critical flaw tracked as CVE-2019-5544 has been assigned a CVSS score of 9.8.

The hacker was able to take control of the host operating system in only 24 seconds.

According to VMware, the CVE-2019-5544 flaw is a heap overwrite issue that resides in the OpenSLP open-source implementation of the Service Location Protocol (SLP), which allows the software to locate resources on a network.

“OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the advisory published by the company..

“A malicious actor with network access to port 427 on an ESXi host or on any Horizon DaaS management appliance may be able to overwrite the heap of the OpenSLP service resulting in remote code execution,”

Experts from VMware that were present at the competition received the details of the exploit immediately after the expert demonstrated the attack.

According to VMware, the flaw affects ESXi versions 6.0, 6.5 and 6.7 running on any platform, and the Horizon cloud desktop-as-a-service (DaaS) platform version 8.x.

The company has already patched the issue for ESXi and it is currently working on a fix for Horizon DaaS.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – VMWare, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]