VMware has patched a whole host of security vulnerabilities affecting a number of its key business products – and given that some of the flaws are high in severity, and would allow malicious actors to execute code remotely, the company advises users to apply the patches immediately.
According to VMware’s security advisory, the company patched four vulnerabilities: CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255. These flaws affect ESXi, Workstation, and Fusion products.
The first two are described as use-after-free flaws in the XHCI USB controller, affecting all three products. For Workstation and Fusion, they carry a severity score of 9.3, while for ESXi, it’s 8.4.
Workarounds available
“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” the company said. “On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.”
Other two flaws are described as an out-of-bounds write flaw in ESXi (severity score 7.9), and an information disclosure vulnerability in UHCI USB controller (severity score 7.9). These two could be used to escape the sandbox and leak memory from the vmx processes.
To make sure their endpoints are secure, users should bring the products to these versions:
ESXi 6.5 – 6.5U3v
ESXi 6.7 – 6.7U3u
ESXi 7.0 – ESXi70U3p-23307199
ESXi 8.0 – ESXi80U2sb-23305545 and ESXi80U1d-23299997
VMware Cloud Foundation (VCF) 3.x
Workstation 17.x – 17.5.1
Fusion 13.x (macOS) – 13.5.1
Those who are unable to apply the patch immediately should remove all USB controllers from their virtual machines, as a workaround measure.
“In addition, virtual/emulated USB devices, such as VMware virtual USB stick or dongle, will not be available for use by the virtual machine,” the company said. “In contrast, the default keyboard/mouse as input devices are not affected as they are, by default, not connected through USB protocol but have a driver that does software device emulation in the guest OS.
Via TheHackerNews