VMware has released patches to address four security flaws impacting ESXi, Workstation, and Fusion, including two critical flaws that could lead to code execution.
Tracked as CVE-2024-22252 and CVE-2024-22253, the vulnerabilities have been described as use-after-free bugs in the XHCI USB controller. They carry a CVSS score of 9.3 for Workstation and Fusion, and 8.4 for ESXi systems.
“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” the company said in a new advisory.
“On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.”
Multiple security researchers associated with the Ant Group Light-Year Security Lab and QiAnXin have been credited with independently discovering and reporting CVE-2024-22252. Security researchers VictorV and Wei have been acknowledged for reporting CVE-2024-22253.
Also patched by the Broadcom-owned virtualization services provider are two other shortcomings –
- CVE-2024-22254 (CVSS score: 7.9) – An out-of-bounds write vulnerability in ESXi that a malicious actor with privileges within the VMX process could exploit to trigger a sandbox escape.
- CVE-2024-22255 (CVSS score: 7.9) – An information disclosure vulnerability in the UHCI USB controller that an attacker with administrative access to a virtual machine may exploit to leak memory from the vmx process.
The issues have been addressed in the following versions, including those that have reached end-of-life (EoL) due to the severity of these issues –
As a temporary workaround until a patch can be deployed, customers have been asked to remove all USB controllers from the virtual machine.
“In addition, virtual/emulated USB devices, such as VMware virtual USB stick or dongle, will not be available for use by the virtual machine,” the company said. “In contrast, the default keyboard/mouse as input devices are not affected as they are, by default, not connected through USB protocol but have a driver that does software device emulation in the guest OS.”