VMware has fixed four vulnerabilities (CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255) in ESXi, Workstation, Fusion and Cloud Foundation, some of which could allow attackers to escape the sandbox and execute code on the host machine.
About the vulnerabilities
VMware ESXi is a bare-metal hypervisor, VMware Workstation and Fusion are desktop hypervisors, and VMware Cloud Foundation is a hybrid cloud platform.
CVE-2024-22252 and CVE-2024-22253 affect VMware ESXi, Workstation, and Fusion and are critical use-after-free vulnerabilities in the XHCI and UHCI USB controller, respectively.
“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed,” the VMware security advisory says for both flaws.
CVE-2024-22254 is an out-of-bounds write vulnerability affecting VMware ESXi that could allow a threat actor with VMX process privileges to escape the sandbox.
CVE-2024-22255 is an information disclosure vulnerability in UHCI USB controller affecting VMware ESXi, Workstation, and Fusion. A threat actor with administrative access to a virtual machine might exploit it to leak memory from the vmx process.
“As of now, VMware is not aware of any ‘in the wild’ exploitation of these vulnerabilities,” the company noted.
The vulnerabilities have been found and exploited by various teams participating in the 2023 Tianfu Cup Pwn Contest and have been privately disclosed to VMware for patching.
Patch now!
Updates fixing the vulnerabilities have been provided for:
- ESXi v7.0
- ESXi v8.0
- Workstation v17.x
- Fusion v13.x (macOS)
- Cloud Foundation (VCF) v5.x/4.x
Because of the severity of the vulnerabilities, the company has also provided a patch for versions that have reached end-of-life: ESXi 6.7 (6.7U3u), 6.5 (6.5U3v) and VCF 3.x.
If patches can’t be deployed immediately, there’s a workaround that involves removing the USB controllers from the VM. This measure should be temporary as it may affect the functionality of the virtual machine console.
“This may not be feasible at scale, and some supported operating systems require USB for keyboard and mouse access via the virtual console (through vCenter Server or ESXi but does not affect Remote Desktop). You may also lose some functionality such as USB passthrough,” they said.
“That said, most Windows and Linux versions support use of the virtual PS/2 mouse and keyboard, and removing unnecessary devices such as USB controllers is recommended as part of the security hardening guidance VMware publishes.”
Customers that have deployed VMware Workstation, VMware Fusion, and/or VMware ESXi as part of VMware vSphere, are also affected and should upgrade to vSphere 7 or 8.
Recently, VMware has urged admins to uninstall a (deprecated) vulnerable vSphere plugin that could be leveraged by attackers to mount authentication relay and session hijack attacks.