VMware has launched patches to handle 4 security flaws impacting ESXi, Workstation, and Fusion, together with two essential flaws that would result in code execution.
Tracked as CVE-2024-22252 and CVE-2024-22253, the vulnerabilities have been described as use-after-free bugs within the XHCI USB controller. They carry a CVSS rating of 9.3 for Workstation and Fusion, and eight.4 for ESXi techniques.
“A malicious actor with native administrative privileges on a digital machine might exploit this problem to execute code because the digital machine’s VMX course of working on the host,” the corporate stated in a brand new advisory.
“On ESXi, the exploitation is contained inside the VMX sandbox whereas, on Workstation and Fusion, this may increasingly result in code execution on the machine the place Workstation or Fusion is put in.”
A number of security researchers related to the Ant Group Mild-Yr Safety Lab and QiAnXin have been credited with independently discovering and reporting CVE-2024-22252. Safety researchers VictorV and Wei have been acknowledged for reporting CVE-2024-22253.
Additionally patched by the Broadcom-owned virtualization companies supplier are two different shortcomings –
- CVE-2024-22254 (CVSS rating: 7.9) – An out-of-bounds write vulnerability in ESXi {that a} malicious actor with privileges inside the VMX course of might exploit to set off a sandbox escape.
- CVE-2024-22255 (CVSS rating: 7.9) – An info disclosure vulnerability within the UHCI USB controller that an attacker with administrative entry to a digital machine might exploit to leak reminiscence from the vmx course of.
The problems have been addressed within the following variations, together with people who have reached end-of-life (EoL) as a result of severity of those points –
As a brief workaround till a patch will be deployed, prospects have been requested to take away all USB controllers from the digital machine.
“As well as, digital/emulated USB units, equivalent to VMware digital USB stick or dongle, won’t be accessible to be used by the digital machine,” the corporate stated. “In distinction, the default keyboard/mouse as enter units will not be affected as they’re, by default, not related by USB protocol however have a driver that does software program machine emulation within the visitor OS.”
