CVE-2018-6957 in Workstation
Summary
by MITRE
VMware Workstation (14.x before 14.1.1, 12.x) and Fusion (10.x before 10.1.1 and 8.x) contain a denial-of-service vulnerability which can be triggered by opening a large number of VNC sessions. Note: In order for exploitation to be possible on Workstation and Fusion, VNC must be manually enabled.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/05/2021
This vulnerability exists in VMware Workstation and Fusion products where a denial-of-service condition can be triggered through excessive VNC session creation. The flaw specifically affects versions 14.x before 14.1.1, 12.x, 10.x before 10.1.1, and 8.x, representing a significant security gap in virtualization software that could compromise system availability. The vulnerability manifests when an attacker opens a large number of VNC sessions, causing the affected systems to become unresponsive or crash entirely. This represents a classic resource exhaustion attack pattern that aligns with CWE-400, which categorizes unchecked resource allocation as a fundamental weakness in software design. The attack vector requires manual configuration of VNC functionality, meaning that exploitation is not automatic but rather requires deliberate system modification by an attacker with access to the affected virtualization environment. The operational impact extends beyond simple service disruption as this vulnerability can affect entire virtual desktop infrastructure deployments where VNC connectivity is utilized for remote management or troubleshooting purposes. Organizations using these vulnerable versions may experience complete system outages, particularly in enterprise environments where virtual machines are frequently accessed through VNC protocols for administrative tasks. The vulnerability demonstrates how seemingly minor configuration options can create significant security risks when not properly secured or monitored.
The technical implementation of this vulnerability stems from inadequate session management and resource allocation controls within the VNC subsystem of these VMware products. When multiple VNC sessions are opened simultaneously, the system fails to properly handle the resource allocation and memory management required to maintain stable operation. This weakness allows an attacker to consume available system resources through excessive session creation, effectively exhausting memory or process limits that prevent legitimate operations from functioning properly. The vulnerability is particularly concerning because it operates at the hypervisor level where multiple virtual machines can be affected simultaneously, potentially creating cascading failures in virtualized environments. From an attack perspective, this aligns with ATT&CK technique T1499.001 which covers network denial of service attacks, though the specific implementation involves local resource exhaustion rather than network-based disruption. The requirement for manual VNC enabling means that organizations with proper security policies and configuration management may be protected, but those with less rigorous controls could be vulnerable to exploitation. The lack of automatic exploitation capabilities does not diminish the severity of the vulnerability, as it still represents a potential vector for system compromise through resource exhaustion attacks.
Mitigation strategies for this vulnerability involve both immediate remediation and long-term security hardening measures. The primary recommendation is to upgrade to patched versions of VMware Workstation and Fusion, specifically versions 14.1.1 and 10.1.1 respectively, which contain fixes for the session management issues. Organizations should also implement strict access controls and monitoring for VNC configuration changes, as the vulnerability requires manual enabling of VNC functionality to be exploitable. Network segmentation and limiting VNC access to trusted networks can significantly reduce the attack surface for this vulnerability. System administrators should configure resource limits and session quotas to prevent excessive VNC connections from overwhelming system resources. Regular security assessments and vulnerability scanning should include verification of VNC configuration settings across all virtualization environments. The fix implemented by VMware addresses the underlying resource management issues in the VNC subsystem and includes enhanced session tracking and memory allocation controls that prevent the exhaustion of critical system resources. Organizations should also consider implementing automated monitoring solutions that can detect unusual VNC session patterns and alert administrators to potential exploitation attempts. This vulnerability highlights the importance of proper resource management in virtualized environments and the need for comprehensive security controls that address both network and system-level threats. The remediation process should include thorough testing of patched systems to ensure that legitimate VNC operations continue to function properly while preventing the exploitation vectors that could lead to denial-of-service conditions.