VMware has launched patches to deal with 4 safety flaws impacting ESXi, Workstation, and Fusion, together with two important flaws that might result in code execution.
Tracked as CVE-2024-22252 and CVE-2024-22253, the vulnerabilities have been described as use-after-free bugs within the XHCI USB controller. They carry a CVSS rating of 9.3 for Workstation and Fusion, and eight.4 for ESXi methods.
“A malicious actor with native administrative privileges on a digital machine might exploit this challenge to execute code because the digital machine’s VMX course of working on the host,” the corporate mentioned in a brand new advisory.
“On ESXi, the exploitation is contained throughout the VMX sandbox whereas, on Workstation and Fusion, this will likely result in code execution on the machine the place Workstation or Fusion is put in.”
A number of safety researchers related to the Ant Group Gentle-Yr Safety Lab and QiAnXin have been credited with independently discovering and reporting CVE-2024-22252. Safety researchers VictorV and Wei have been acknowledged for reporting CVE-2024-22253.
Additionally patched by the Broadcom-owned virtualization companies supplier are two different shortcomings –
- CVE-2024-22254 (CVSS rating: 7.9) – An out-of-bounds write vulnerability in ESXi {that a} malicious actor with privileges throughout the VMX course of might exploit to set off a sandbox escape.
- CVE-2024-22255 (CVSS rating: 7.1) – An data disclosure vulnerability within the UHCI USB controller that an attacker with administrative entry to a digital machine might exploit to leak reminiscence from the vmx course of.
The problems have been addressed within the following variations, together with people who have reached end-of-life (EoL) because of the severity of those points –
As a brief workaround till a patch might be deployed, prospects have been requested to take away all USB controllers from the digital machine.
“As well as, digital/emulated USB units, reminiscent of VMware digital USB stick or dongle, is not going to be accessible to be used by the digital machine,” the corporate mentioned. “In distinction, the default keyboard/mouse as enter units usually are not affected as they’re, by default, not related by means of USB protocol however have a driver that does software program machine emulation within the visitor OS.”
