Published: March 12, 2024
Overview
Several critical vulnerabilities have been identified in VMware ESXi, Workstation, and Fusion. The first, CVE-2024-22252, involves a use-after-free flaw in the XHCI USB controller, with a severity range deemed critical, scoring a maximum CVSS base score of 9.3 for Workstation/Fusion and 8.4 for ESXi.
Similarly, CVE-2024-22253 presents another use-after-free vulnerability, this time in the UHCI USB controller, with identical critical severity ratings and CVSS base scores. Another concern, CVE-2024-22254, pertains to an out-of-bounds write vulnerability within VMware ESXi, carrying a high severity rating with a maximum CVSS base score of 7.9.
Lastly, CVE-2024-22255 discloses an information vulnerability in the UHCI USB controller across ESXi, Workstation, and Fusion, rated with a high severity and a maximum CVSS base score of 7.1.
Impact
CVE-2024-22252 – A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.
CVE-2024-22253 – A malicious actor with administrative privileges on a virtual machine can exploit this vulnerability to execute code as the virtual machine’s VMX process on the host.
CVE-2024-22254 – A malicious actor with privileges within the VMX process may trigger and out-of-bounds write, leading to an escape of the sandbox.
CVE-2024-22255 – A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process.
Applicable Versions
| Affected Versions | Not Affected Versions |
|---|---|
| Earlier to ESXi 8.0 Update 1d | ESXi 8.0 Update 1d or ESXi 8.0 Update 2b. (Please refer to VMWare documentation for right upgrade path) |
| ESXi 7.0 | VMware ESXi 7.0 Update 3p |
| Workstation 17.x | Workstation 17.5.1 |
| Fusion 13.x | Fusion 13.5 |
Mitigations and Workarounds
The workaround is to remove all USB controllers from the Virtual Machine. As a result, USB passthrough functionality will be unavailable. Refer VMware knowledgebase KB96682 for details.
To Mitigate the issues, please install the updates provided by VMware.
Best Practices
Update latest security patches released by your vendors.
Netsurion Detection and Response
Netsurion’s vulnerability management system is collaborating with the vendors to update the vulnerability scanners to detect for customers who have subscribed to Netsurion Vulnerability Management.
References:
- https://www.vmware.com/security/advisories/VMSA-2024-0006.html
- https://kb.vmware.com/s/article/96682
- https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80u2b-release-notes/index.html
- https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80u1d-release-notes/index.html
- https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3p-release-notes/index.html