VMware has released patches to address four security flaws impacting ESXi, Workstation, and Fusion, including two critical flaws that could lead to code execution.
Tracked as CVE-2024-22252 and CVE-2024-22253, the vulnerabilities have been described as use-after-free bugs in the XHCI USB controller. They carry a CVSS score of 9.3 for Workstation and Fusion, and 8.4 for ESXi systems.
“On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.”
Multiple security researchers associated with the Ant Group Light-Year Security Lab and QiAnXin have been credited with independently discovering and reporting CVE-2024-22252. Security researchers VictorV and Wei have been acknowledged for reporting CVE-2024-22253.
Also patched by the Broadcom-owned virtualization services provider are two other shortcomings –
- CVE-2024-22254 (CVSS score: 7.9) – An out-of-bounds write vulnerability in ESXi that a malicious actor with privileges within the VMX process could exploit to trigger a sandbox escape.
- CVE-2024-22255 (CVSS score: 7.1) – An information disclosure vulnerability in the UHCI USB controller that an attacker with administrative access to a virtual machine may exploit to leak memory from the vmx process.
The issues have been addressed in the following versions, including those that have reached end-of-life (EoL) due to the severity of these issues –
As a temporary workaround until a patch can be deployed, customers have been asked to remove all USB controllers from the virtual machine.
Source: https://thehackernews.com/