VMware stated on Tuesday that it had addressed many high-severity vulnerabilities revealed at a big Chinese hacking competition last year. The vulnerabilities affect VMware ESXi, Workstation, and Fusion, and they were exploited by Kunlun Lab, the winning team in the 2021 Tianfu Cup hacking competition. Kunlun Lab received over $650,000 for various exploits displayed at Tianfu Cup.
The event organizers offered $80,000 for VMware Workstation flaws that result in a guest-to-host escape and $180,000 for ESXi exploits that allow the attacker to get root access to the host. It’s not known how much Kunlun Lab made at Tianfu Cup because of its VMware exploits. VMware described vulnerabilities in an advisory published on Tuesday.
VMware has provided remedies in addition to updates for ESXi, Workstation, Fusion, and Cloud Foundation. According to the virtualization behemoth, customers should take quick action to remedy the vulnerabilities. “The ramifications of this vulnerability are serious, especially if attackers have access to workloads inside your environments,” VMware warned in a Q&A document to clarify further.
This would be classified as an ’emergency change’ by organizations that use the ITIL standards of change types. Because every environment is distinct, has a varied risk tolerance, and uses various security measures and defense-in-depth to minimize risk, users must decide how to proceed. However, considering the gravity of the situation, VMware highly advises acting. In the same document, VMware also stated that the researchers who identified the vulnerabilities” were reported to the Chinese government by the researchers that discovered them, in accordance with their laws.”
A recently enacted law requires Chinese citizens who discover zero-day exploits to report them to the government. Apart from the impacted vendor, researchers are not authorized to sell or distribute the information to third parties outside China. In December, it was reported that China’s Ministry of Industry and Information Technology has temporarily halted its engagement with Alibaba Cloud as a cyber threat intelligence partner owing to the company’s failure to notify the government about the infamous Log4Shell vulnerability.