VMware has patched a large number of security vulnerabilities affecting several of its key commercial products, and given that some of the flaws are high severity and would allow malicious actors to execute code remotely, the company advises users to apply patches immediately.
According to VMware's security advisory, the company patched four vulnerabilities: CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255. These flaws affect ESXi, Workstation, and Fusion products.
The first two are described as use-after-free flaws in the XHCI USB controller, affecting all three products. For Workstation and Fusion, they have a severity score of 9.3, while for ESXi it is 8.4.
Alternative solutions available
“A malicious actor with local administrative privileges on a virtual machine can exploit this issue to execute code such as the virtual machine's VMX process running on the host,” the company said. “In ESXi, the exploitation is contained within the VMX sandbox, while in Workstation and Fusion, this can lead to code execution on the machine where Workstation or Fusion is installed.”
Two other flaws are described as an out-of-bounds write flaw in ESXi (severity score 7.9) and an information disclosure vulnerability in the USB UHCI controller (severity score 7.9). These two could be used to escape the sandbox and leak memory from the vmx processes.
To ensure their endpoints are secure, users should bring products to these versions:
ESXi 6.5 – 6.5U3v
ESXi 6.7 – 6.7U3u
ESXi 7.0 – ESXi70U3p-23307199
ESXi 8.0: ESXi80U2sb-23305545 and ESXi80U1d-23299997
VMware Cloud Foundation (VCF) 3.x
Workstation 17.x – 17.5.1
Fusion 13.x (macOS) – 13.5.1
Those who cannot apply the patch immediately should remove all USB drivers from their virtual machines as a workaround.
“In addition, virtual/emulated USB devices, such as the virtual USB stick or VMware dongle, will not be available for use in the virtual machine,” the company said. “In contrast, the default keyboard/mouse input device is not affected as by default they are not connected via the USB protocol, but have a driver that emulates the software device in the guest OS.
Through TheHackerNews
