VMware is issuing patches for its ESXi, Workstation and Fusion products to fix a pair of flaws that, if exploited, could each allow attackers with local administrative privileges on virtual machines to execute code as the virtual machine's VMX process running on the host.
The use-after-free flaws (CVE-2024-22252 and CVE-2024-22253) are two of four vulnerabilities disclosed by VMware Tuesday after they were discovered during the 2023 Tianfu Cup Pwn Contest. VMware said it hasn’t seen any exploitation in the wild of any of the flaws, but urged customers to update to the fixed version.
The flaws have different impacts on the various products, and were ranked as critical-severity for Workstation/Fusion, and as important-severity for ESXi: “On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed,” according to VMware’s security update.
CVE-2024-22252 exists in the XHCI USB controller component, and CVE-2024-22253 is in the UHCI USB controller. As a workaround, VMware said customers may be able to remove the USB controller from the VM, though it may not be feasible at scale and also may impact virtual machine console functionality.
“Each organization must assess for themselves how to effectively configure these measures for their environment,” according to VMware, which is owned by Broadcom. “Broadcom strongly recommends patching to remove the vulnerability, as workarounds introduce complexity and do not resolve the underlying issue.”
VMware also fixed an important-severity out-of-bounds flaw (CVE-2024-22254) in ESXi, which if exploited could allow a threat actor with privileges within the VMX process to trigger an out-of-bounds write, potentially leading to a sandbox escape. Finally, the company patched an important-severity information disclosure bug in the UHCI USB controller (CVE-2024-22255). This flaw could allow attackers to leak memory from the vmx process - but they would need administrative access to a virtual machine.
Customers are encouraged to update to fixed versions for ESXi, including ESXi80U2sb-23305545, ESXi80U1d-23299997 and ESXi70U3p-23307199; as well as version 17.5.1 for Workstation and 13.5.1 for Fusion.
“While Broadcom does not mention end-of-life products in the Security Advisories, due to the critical severity of these vulnerabilities Broadcom has made a patch available to customers with extended support for ESXi 6.7 (6.7U3u), 6.5 (6.5U3v) and VCF 3.x,” according to VMware.
VMware has over the past years disclosed a number of flaws impacting its hypervisor products like ESXi, VMware’s hypervisor that partitions servers into multiple virtual machines; Workstation, its hosted hypervisor; and Fusion, its hypervisor developed for macOS systems. In 2023, threat groups targeted an older vulnerability in ESXi (CVE-2021-21974) in order to install ransomware on compromised instances.