VMware Issues Security Patches for ESXi, Workstation, and Fusion Flaws

2 months ago AndyC

Mar 06, 2024NewsroomSoftware Security / Vulnerability

VMware has released patches to address four security flaws impacting ESXi, Workstation, and Fusion, including two critical flaws that could lead to code execution.

VMware Issues Security Patches for ESXi, Workstation, and Fusion Flaws

Mar 06, 2024NewsroomSoftware Security / Vulnerability

VMware Issues Security Patches for ESXi, Workstation, and Fusion Flaws

VMware has released patches to address four security flaws impacting ESXi, Workstation, and Fusion, including two critical flaws that could lead to code execution.

Tracked as CVE-2024-22252 and CVE-2024-22253, the vulnerabilities have been described as use-after-free bugs in the XHCI USB controller. They carry a CVSS score of 9.3 for Workstation and Fusion, and 8.4 for ESXi systems.

“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” the company said in a new advisory.

“On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.”

Multiple security researchers associated with the Ant Group Light-Year Security Lab and QiAnXin have been credited with independently discovering and reporting CVE-2024-22252. Security researchers VictorV and Wei have been acknowledged for reporting CVE-2024-22253.

Cybersecurity

Also patched by the Broadcom-owned virtualization services provider are two other shortcomings –

  • CVE-2024-22254 (CVSS score: 7.9) – An out-of-bounds write vulnerability in ESXi that a malicious actor with privileges within the VMX process could exploit to trigger a sandbox escape.
  • CVE-2024-22255 (CVSS score: 7.9) – An information disclosure vulnerability in the UHCI USB controller that an attacker with administrative access to a virtual machine may exploit to leak memory from the vmx process.

The issues have been addressed in the following versions, including those that have reached end-of-life (EoL) due to the severity of these issues –

Cybersecurity

As a temporary workaround until a patch can be deployed, customers have been asked to remove all USB controllers from the virtual machine.

“In addition, virtual/emulated USB devices, such as VMware virtual USB stick or dongle, will not be available for use by the virtual machine,” the company said. “In contrast, the default keyboard/mouse as input devices are not affected as they are, by default, not connected through USB protocol but have a driver that does software device emulation in the guest OS.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , ,

More Stories

Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

22 hours ago AndyC
Bogus npm Packages Used to Trick Software Developers into Installing Malware

Bogus npm Packages Used to Trick Software Developers into Installing Malware

1 day ago AndyC
Severe Flaws Disclosed in Brocade SANnav SAN Management Software

Severe Flaws Disclosed in Brocade SANnav SAN Management Software

2 days ago AndyC
10 Critical Endpoint Security Tips You Should Know

10 Critical Endpoint Security Tips You Should Know

2 days ago AndyC
New 'Brokewell' Android Malware Spread Through Fake Browser Updates

New ‘Brokewell’ Android Malware Spread Through Fake Browser Updates

2 days ago AndyC
Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

2 days ago AndyC

You may have missed

Hackers may have accessed thousands of accounts on California state welfare platform

Hackers may have accessed thousands of accounts on California state welfare platform

16 hours ago AndyC

Major phishing-as-a-service platform disrupted – Week in security with Tony Anscombe

19 hours ago AndyC
Brokewell supports an extensive set of Device Takeover capabilities

Brokewell supports an extensive set of Device Takeover capabilities

22 hours ago AndyC
Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

22 hours ago AndyC
Bogus npm Packages Used to Trick Software Developers into Installing Malware

Bogus npm Packages Used to Trick Software Developers into Installing Malware

1 day ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.