VMware has launched fixes for a number of flaws that collectively might permit attackers to execute malicious code on the host system from inside a digital machine, bypassing the crucial isolation layer. A few of the flaws are within the virtualized USB controllers, so that they affect most VMware hypervisors: VMware ESXi, VMware Workstation, VMware Fusion, and VMware Cloud Basis.
Attacker teams have exploited vulnerabilities in VM merchandise earlier than, together with to deploy ransomware. In January it was revealed {that a} Chinese language cyberespionage group had been exploiting a crucial distant code execution vulnerability in VMware vCenter Server for 18 months earlier than it was patched in October final yr.
Flaws in VMware USB controllers
The brand new security patches launched this week handle two use-after-free reminiscence vulnerabilities within the UHCI USB and XHCI USB controllers — CVE-2024-22252 and CVE-2024-22253. These are the virtualized controllers that allow using USB units inside VMware digital machines. The failings are each rated with 9.3 out of 10 on the CVSS severity scale.
“A malicious actor with native administrative privileges on a digital machine might exploit this concern to execute code because the digital machine’s VMX course of operating on the host,” VMware mentioned in its advisory. “On ESXi, the exploitation is contained inside the VMX sandbox whereas, on Workstation and Fusion, this will likely result in code execution on the machine the place Workstation or Fusion is put in.”
Regardless of the VMX being sandboxed on ESXi, this doesn’t utterly restrict the chance of distant code execution due to a 3rd vulnerability that might permit attackers to flee the VMX sandbox. That is an out-of-bounds write vulnerability tracked as CVE-2024-22254 and rated with 7.9 severity.
A fourth data disclosure vulnerability (CVE-2024-22255) has additionally been patched within the UHCI USB controller. This flaw can be utilized to leak reminiscence from the VMX course of and is rated 7.1.