silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,154
VMware this week informed customers that it has patched several vulnerabilities in its ESXi, Workstation, Fusion and NSX-T products, including a critical flaw that allows arbitrary code execution.
The critical vulnerability, identified as CVE-2020-3992, has been described as a use-after-free issue that affects the OpenSLP service in ESXi.
The vulnerability was reported to VMware on July 22 by Lucas Leong of Trend Micro's Zero Day Initiative (ZDI). In its own advisory, ZDI said the vulnerability can be exploited by a remote, unauthenticated attacker to execute arbitrary code.
“The specific flaw exists within the processing of SLP messages. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the SLP daemon,” ZDI said.
VMware Patches Critical Code Execution Vulnerability in ESXi
VMware has patched several vulnerabilities affecting its products, including a critical code execution flaw in ESXi
www.securityweek.com