VMware has unveiled patches to tackle four security flaws impacting ESXi, Workstation, and Fusion, such as two critical flaws that could direct to code execution.
Tracked as CVE-2024-22252 and CVE-2024-22253, the vulnerabilities have been explained as use-right after-totally free bugs in the XHCI USB controller. They have a CVSS score of 9.3 for Workstation and Fusion, and 8.4 for ESXi methods.
“A destructive actor with local administrative privileges on a digital device could exploit this issue to execute code as the virtual machine’s VMX procedure functioning on the host,” the enterprise mentioned in a new advisory.
“On ESXi, the exploitation is contained within the VMX sandbox while, on Workstation and Fusion, this may well guide to code execution on the equipment in which Workstation or Fusion is put in.”
Several security researchers linked with the Ant Team Mild-Year Security Lab and QiAnXin have been credited with independently exploring and reporting CVE-2024-22252. Security researchers VictorV and Wei have been acknowledged for reporting CVE-2024-22253.
Also patched by the Broadcom-owned virtualization companies service provider are two other shortcomings –
- CVE-2024-22254 (CVSS rating: 7.9) – An out-of-bounds create vulnerability in ESXi that a destructive actor with privileges inside of the VMX process could exploit to result in a sandbox escape.
- CVE-2024-22255 (CVSS score: 7.9) – An information disclosure vulnerability in the UHCI USB controller that an attacker with administrative access to a virtual equipment might exploit to leak memory from the vmx method.
The issues have been tackled in the next versions, which include all those that have achieved conclude-of-lifestyle (EoL) owing to the severity of these issues –
- ESXi 6.5 – 6.5U3v
- ESXi 6.7 – 6.7U3u
- ESXi 7. – ESXi70U3p-23307199
- ESXi 8. – ESXi80U2sb-23305545 and ESXi80U1d-23299997
- VMware Cloud Basis (VCF) 3.x
- Workstation 17.x – 17.5.1
- Fusion 13.x (macOS) – 13.5.1
As a short-term workaround until a patch can be deployed, consumers have been asked to take away all USB controllers from the virtual device.
“In addition, digital/emulated USB gadgets, these types of as VMware digital USB adhere or dongle, will not be available for use by the digital device,” the firm said. “In distinction, the default keyboard/mouse as input products are not afflicted as they are, by default, not linked via USB protocol but have a driver that does computer software gadget emulation in the visitor OS.”
Located this post interesting? Comply with us on Twitter and LinkedIn to study a lot more special written content we submit.
Some parts of this article are sourced from:
thehackernews.com