VMware Addresses Critical Security Vulnerabilities
VMware has issued urgent patches to remediate four notable security vulnerabilities affecting its ESXi, Workstation, and Fusion products. Among these, two critical vulnerabilities could potentially enable attackers to execute arbitrary code on affected systems.
These vulnerabilities, identified as CVE-2024-22252 and CVE-2024-22253, pertain specifically to use-after-free flaws found in the XHCI USB controller. The CVSS scores for these vulnerabilities are significant; they stand at 9.3 for Workstation and Fusion, while ESXi systems are rated at 8.4. According to VMware’s advisory, “A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.” Although exploitation on ESXi is restricted within the VMX sandbox, the situation is more critical on Workstation and Fusion, where it could permit code execution on the host machine.
The vulnerabilities were independently discovered by multiple security researchers affiliated with Ant Group’s Light-Year Security Lab, as well as QiAnXin. Notably, VictorV and Wei contributed to the discovery of CVE-2024-22253. This highlights the collaborative effort within the cybersecurity community to identify and report such significant flaws.
In addition to the critical vulnerabilities, VMware addressed two other security issues. The first, CVE-2024-22254, with a CVSS score of 7.9, represents an out-of-bounds write vulnerability in ESXi. This could be exploited by an attacker with privileges within the VMX process to initiate a sandbox escape. The second issue, CVE-2024-22255, scored at 7.1, concerns an information disclosure vulnerability related to the UHCI USB controller, enabling an attacker with administrative access to leak sensitive information from the vmx process.
The issues have been rectified in various VMware versions, including those that have reached end-of-life status, reflecting the urgency associated with these vulnerabilities. Among the affected versions are ESXi 6.5, 6.7, 7.0, and 8.0, as well as Workstation and Fusion releases. This range underscores VMware’s commitment to security, even for legacy software.
As a temporary remedial measure until patches can be fully deployed, VMware advises customers to remove all USB controllers from their virtual machines. This action will disable virtual USB devices, such as VMware virtual USB sticks or dongles, while ensuring that default input devices like keyboards and mice remain unaffected, as they do not utilize the USB protocol.
The vulnerabilities present a serious risk to organizations utilizing VMware’s virtualization products in their IT infrastructure. Given the potential for exploitation of administrative privileges, there is an imperative for immediate action to secure these systems. As noted in the MITRE ATT&CK framework, techniques such as initial access, privilege escalation, and evasive maneuvers may be relevant in understanding how these vulnerabilities could be exploited by malicious actors.
In conclusion, it is crucial for businesses employing VMware services to remain vigilant and promptly apply the latest security updates to mitigate risks from these critical vulnerabilities. Organizations should prioritize patch management and consider the configuration of their virtual environments to enhance security posture.
