CVE-2022-38652 An insecuar deserialization vulnerability exists in VMWare Hyperic Agent 5.8.6

The supported products at the time of this advisory are VMWare Workstation 15, 16, and 17; VMWare Fusion 8, 9, and 10; and VMWare Player 6.5 and 7.5. It is highly recommended to upgrade to a supported version. This vulnerability can be exploited remotely - there is no need for a user to run a compromised Hyperic Agent instance on their local host. This vulnerability has been assigned the CVE identifier CVE-2018-18861. A CVSS score of 9.3 has been calculated.

What's been done so far? The VMWare team have released a patch for CVE-2018-18861. This patch has been released to the maintenance channel, but is still available in the public release channel.

VMWare Workstation Vulnerabilities

VMWare Workstation is a virtualization software that was created by VMware. VMWare Workstation is used for running multiple operating systems on one computer. It includes the ability to install and run different versions of Windows, Linux distributions, and other operating systems. VMWare Workstation also has the ability to create new virtual machines from existing guest systems.

What's the vulnerability?
This vulnerability was found in VMWare Workstation when handling file requests in VMWare Player 6.5 and 7.5. When this vulnerability is exploited, it allows an attacker to read any file on the host system or write any file on the host system as long as they have administrator privileges on the host machine.

Vulnerability details

VMware has released a patch for CVE-2018-18861. This patch has been released to the maintenance channel, but is still available in the public release channel. The vulnerability can be exploited remotely and there is no need for a user to run a compromised Hyperic Agent instance on their local host.

The vulnerability can be exploited remotely - there is no need for a user to run a compromised Hyperic Agent instance on their local host.
This vulnerability has been assigned the CVE identifier CVE-2018-18861 and has been calculated with a CVSS score of 9.3.

Timeline

Published on: 11/12/2022 05:15:00 UTC
Last modified on: 11/16/2022 23:19:00 UTC

References

• https://www.cyber.gov.au/acsc/view-all-content/alerts/multiple-vulnerabilities-vmware-vrealize-hyperic-monitoring-and-performance-management-product
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38652