Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability
securityweek.com59 points by Bender 9 hours ago
59 points by Bender 9 hours ago
According to the discoverer, NVISO: “We can however not assess whether this exploit was part of UNC5174’s capabilities or whether the zero-day’s usage was merely accidental due to its trivialness.”
This may explain the failure to notify of a 0day, since it seemed to be exploited accidentally in the course of a more sophisticated operation.
But that doesn’t excuse the lack of disclosure IMO. If it’s so trivial you could accidentally exploit it, seems bad.
Good reason as to why even in vms, services should be containerized such as with nspawn, ideally distroless if sanely doable for the service.
Not that containerization should be your only protection either, but generally I prefer random users not to have opportunity to just create and run arbitrary executables in default namespace.
To add an insult to the injury, Broadcom totally wrecked the update process for existing VMware installations. They killed update servers and domains, everything is annihilated.
A cherry on the top: you need to pass a quest of registrations and approvals before you ever be able to have an opportunity to get access to any VMware software download. Good luck updating your software, folks.
I wanted to update to the latest version of the free VMWare Workstation, and since the auto updating didn't work anymore I tried to go to the Broadcom site to see if I could manually download it.
I was able to get to a download page for the latest version after making an account and traversing some confusing stuff, but it did want my real name and address before it would give me the download.
Broadcom seems really determined to drive everyone away from VMWare at this point. I think they looked at pre-1990's IBM that locked everything up into service contracts top to bottom and decided that would be their business model. Makes Oracle look like GNU by comparison.
> Broadcom seems really determined to drive everyone away from VMWare at this point.
They are but this a shit ton of money to be earned while doing so. VMWare is so cemented at companies that migration for many is going to be almost impossible.
>pre-1990's IBM that locked everything up into service contracts top to bottom
IBM still has a ton of those service contracts. It's small amount of their overall revenue but it's not nothing. 10 years from now, big F500 will still be on VMware paying insane amounts of money.
That's going to cost them big time in the EU when the CRA goes into full effect in a couple years. Theoretically anyway.