29th May 2018 – VMware security update – CVE-2018-6964

Found VMware Horizon Client (Linux) contains design weakness causes privilege escalation vulnerability. I speculate that the vulnerability only happened on Horizon client for Linux. And therefore it can’t bring the IT guy attention. But do not ignore this vulnerability. As we know, ESXi 6.5 could allow an autenticated VNC session to cause a heap overflow via specific set of VNC packes resulting in heap corruption. But hacker would exploit this deisgn bug. Meanwhile the environment must fulfill the requirement. VNC must be enabled. Apart from that ESXi must configured to allow VNC traffic through the build in firewall. As a matter of fact, IT operations would like to increase their fexibility. And sometimes enable this function in data center. If this is the way or you require to use VNC for remote access. Then you must stay alert.
If this is not a require function, it is recommend to disable it.

For the vulnerability details found on 29th May 2018. Techncial detials is shown as below:

VMSA-2018-0014: VMware Horizon Client update addresses a privilege escalation vulnerability – https://www.vmware.com/security/advisories/VMSA-2018-0014.html