Just one compromised VM can make all other VMs on that hypervisor sitting ducks.
See full article...
See full article...
VMware patches 3 critical vulnerabilities in multiple product lines
- Thread starter JournalBot
- Start date
Did I miss it or is there no mitigation/patch available for these yet?
Edit: Never mind, the actual VMWare advisory appears to indicate there are.
Edit: Never mind, the actual VMWare advisory appears to indicate there are.
Upvote
45
(45
/
0)
There's also another solid mitigation route available, that Broadcom has been convincing people to take.
Upvote
181
(182
/
-1)
Yay for using KVM, I guess. Avoiding Broadcom's crappy behavior pays off unexpectedly.
Upvote
21
(25
/
-4)
My copy of VMware Fusion for macOS got an automated update this morning.
Anyway, I wonder if the Russians will now step up their hacking activities since Hegseth has just rolled over.
Upvote
36
(41
/
-5)
And the world continues to turn. I am involved with just as many projects bring stuff on-prem as sending stuff to the cloud.
Upvote
44
(44
/
0)
That could be a very long time coming. The big cloud providers have shown actual competency with cybersecurity and given how much critical infrastructure runs on the big three cloud providers, a serious attack would generate a national security response, so too much heat for most cybercrime groups. That being said, if things get hot between China and Taiwan and the US intervenes on Taiwan's side I expect hell to be unleashed on the big three by Chinese government agencies and state-sponsored groups.
Upvote
9
(18
/
-9)
Gotta love it when a company commits seppuku by adding poison to the blade.
Then again, it could help accelerate the exodus and speed the death of the company, so... Mission accomplished soon?
Then again, it could help accelerate the exodus and speed the death of the company, so... Mission accomplished soon?
Upvote
-10
(3
/
-13)
The cynic in me sees this as an awfully convenient way to force former customers who said “support is now too expensive, we’ll just keep running our current version” to pay up.
Upvote
22
(24
/
-2)
Do you use the Life Cycle Manager or just the default/older style updating system?
I hadn’t setup the Life Cycle Manager, but I am considering it to see if I can use that to jumpstart the patch.
Not sure how to force it to check against their servers for the latest patches beyond just running a compliance check, though I don’t know if that is just checking against what is already downloaded or if that actually calls out to Broadcom first.
Thinking I’ll reboot the vCenter VM and see if that gets the spice flowing.
Upvote
1
(1
/
0)
OK, rebooting my vCenter server forced it to sync updates, then checking for compliance again after the sync finished finally revealed the updates for me.
FYI, the first check compliance I did after the reboot processed while vCenter was still synching updates (progress for both was in the Recent Tasks pane), so, reboot vCenter, check for compliance, confirm its synching updates, and then check for compliance again. Hopefully that does it.
Saw some people on Reddit suggesting I could have also bumped the VMWare vSphere Update Manager from the vCenter appliance portal, but I preferred to just do a reboot instead to ensure everything played nice.
(edited for formatting to make it a little easier to read)
Last edited:
Upvote
15
(15
/
0)
I just wanted to call out this perfect summary of Broadcom. 10 thumbs up. No notes.
Upvote
27
(29
/
-2)
Hrm, the security document says all VMware Fusion 13.x versions are vulnerable before 13.6.3. But 13.5.2 is the last version that runs on Mac OS X 12, and I'm not seeing an update to the 13.5.x line.
Yes I know time to think about upgrading hardware, but I hate to mess with things that are otherwise working fine.
Yes I know time to think about upgrading hardware, but I hate to mess with things that are otherwise working fine.
Upvote
8
(8
/
0)
Why? Hegseth would probably just let Kaspersky buy the SSL certificate keys and force DigiCert to hand them over for a $500,000 donation to Trump's 3rd term election campaign committee.
Upvote
1
(8
/
-7)
johnlsenchak
Ars Praetorian
Excellently written article here
Follow up
https://www.bleepingcomputer.com/ne...-three-vmware-zero-days-exploited-in-attacks/
Follow up
https://www.bleepingcomputer.com/ne...-three-vmware-zero-days-exploited-in-attacks/
Last edited:
Upvote
5
(5
/
0)
China and Russia are pals. They've already got a foot in the door. The parent company is Chinese owned.
Upvote
-5
(1
/
-6)
We all love giving Broadcom a good swift kick, but given that out-of-date vSphere versions are still vulnerable, the issue predates Broadcom's involvement.
Upvote
10
(10
/
0)
This is more like that baddie in Hero Yoshihiko who licked his poisoned knife.
Upvote
-2
(1
/
-3)
It's definitely Vmware's defect; but what is unfortunate is that, thanks to the Broadcom shakeup, it's hard to think of a worse time for it to have come to light. Probably a historically large number of ESX hosts without access to patches because people were hoping to get them through a transition plan without having to move from vmware pricing to broadcom pricing.
Upvote
8
(8
/
0)
100%. This is exactly the conversation I have with customers on a weekly basis. It's an excruciating position for them to be in.
Upvote
5
(5
/
0)
Now would be a great time to shut down defensive and offensive cyber activity against known adversaries like Russia, no?
Upvote
1
(2
/
-1)
It always bugs me when this isn't directly stated in an article.
All 3 have been fixed in the same version (see table further down):
https://support.broadcom.com/web/ec...-/external/content/SecurityAdvisories/0/25390
Upvote
7
(7
/
0)
Read the article, the attacker has to have root access on the host. If he's already there, you probably have bigger worries.Excellently written article here
Follow up
https://www.bleepingcomputer.com/ne...-three-vmware-zero-days-exploited-in-attacks/
Upvote
-2
(0
/
-2)
To paraphrase Joseph Heller, "just because you're cynical doesn't mean they're not screwing you."
We got this email from Broadcom/VMware two days ago:
This was also in the message:
However, the updater mechanism (aka, "vCenter Lifecycle Manager") won't apply the patches, and when we try to download them manually from the support site, we get a "not entitled" error.
FWIW, we've already kicked off our Proxmox migration project; but this is all a nice reminder of why Broadcom can't be trusted.
Upvote
4
(4
/
0)
I don't feel like this generic response works here. In this context, managed root access is the service providers are typically selling. It doesn't implicitly represent a secure enclave controlled by a non-malicious actor.
The idea behind a VM is an arbitrary number of virtualized systems - each with root access to their own resources - all use the same hardware. Every VM customer has root access to their virtualized machines. That's the point.
Consider that an attacker should be able to sign up for basic service from any VM provider. This would typically generate a virtual machine on the provider's backbone and give the attacker root access to this virtual machine. From there, it would theoretically be possible to effectively take over the management infrastructure controlling the virtual host ... which would provide control over every other virtual host being managed by the same infrastructure.
Upvote
4
(4
/
0)
Thanks. If that's the case then Dan Goidin's article downplays the risk:
The attacker didn't need to compromise an existing customer, they could just sign up for their own VMware guest with a credit card and upload the vulnerabilities. Or have all hosting providers moved away from VMware?
Upvote
1
(1
/
0)
They've been giving mixed messages. At least in our case vCenter lifecycle manager and esxcli software profile update against https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml have the update for 8 and 7; but trying to get downloads through Broadcom's support portal is a no, even when the relevant licenses are on record(apparently this is dire enough that their writeup on github has a "I am having trouble downloading the patches" section).
What is more unclear at present is the status of 6.x versions: their main advisory doesn't even mention them; but the github version says that both 6.5 and 6.7 are affected and that the patch for 6.7 is available "for all customers" while 6.5 is under "the extended support process". The 6.7 patch has release notes but seems to be AWOL in both the download portal and if you try to check for 2025 profiles for 6.7 against the depot index.
The only people they are actually committing to the $$$-or-shove-off in writing are 6.5 users; but 6.7 is some kind of semi-secret and they just seem to be blatantly dropping the ball on even quite recently licensed 8.0
I'm not sure that it's vmware specific; broadcom's support portal has been a loathsome morass every time I've had the misfortune to need to deal with it; but it's a bad look.
Upvote
1
(1
/
0)
Unless you have already migrated off of VMWare and raising a single finger salute to Broadcom. Last year was taxing getting off VMWare but it was well worth it.
Upvote
0
(1
/
-1)
++ for Proxmox, for sure. I'm more and more glad every day that I moved off of my VMWare stack (and the costs associated with it).
Upvote
1
(1
/
0)
Software with massive, known, exploited security holes is not "working fine".
BTW, "Mac OS X 12" isn't a thing, so I'm not clear on whether you mean "macOS 10.12" (Sierra) or "macOS 12" (Monterey), but either way, both are no longer supported and probably have severe security issues of their own - especially the former.
Upvote
0
(0
/
0)