VMware has released patches to address four security flaws impacting ESXi, Workstation, and Fusion, including two critical flaws that could lead to code execution.
Tracked as CVE-2024-22252 and CVE-2024-22253, the vulnerabilities were described as use-after-free bugs in the XHCI USB controller. They have a CVSS score of 9.3 for Workstation and Fusion and 8.4 for ESXi systems.
“A malicious actor with local administrator privileges on a virtual machine can exploit this issue to execute code as a virtual machine VMX process running on the host,” the company said in a new advisory.
“On ESXi, the exploitation is contained in the VMX sandbox while, on Workstation and Fusion, this can lead to code execution on the machine where Workstation or Fusion is installed.”
Several security researchers associated with the Ant Group Light-Year Security Lab and QiAnXin have been credited with independently discovering and reporting CVE-2024-22252. Security researchers VictorV and Wei were rewarded for reporting CVE-2024-22253.
The Broadcom-owned virtualization services provider also addressed two other flaws:
- CVE-2024-22254 (CVSS Score: 7.9) – An out-of-bounds write vulnerability in ESXi that a malicious actor with privileges within the VMX process could exploit to trigger a sandbox escape.
- CVE-2024-22255 (CVSS Score: 7.1) – An information disclosure vulnerability in the USB UHCI controller that an attacker with administrative access to a virtual machine can exploit to leak memory from the vmx process.
The issues have been resolved in the following releases, including those that have reached End of Life (EoL) due to the severity of these issues:
As a temporary solution until a patch can be deployed, customers have been asked to remove all USB controllers from the virtual machine.
“Additionally, virtual/emulated USB devices, such as the VMware virtual USB stick or dongle, will not be available for use by the virtual machine,” the company said. “In contrast, the default keyboard/mouse as input devices are not affected since, by default, they are not connected via USB protocol but have a driver that performs software device emulation in the guest operating system.”