VMware announced that it has issued a patch for a heap-overflow vulnerability that affects its ESXi software versions 6.5, 6.7, and 7, as well as Fusion 12.x, Workstation 16.x and VMware Cloud Foundation (ESXi) 4.x and 3.x that affects users of Mac, Windows and Linux, according to Threatpost
Tracked as CVE-2021-22045 and carrying a 7.7 out of 10 CVSS rating, the flaw is located in the products' CD-ROM device emulation function and allows threat actors to perform remote code execution on the hypervisor if combined with other security bugs and depending on whether they have access to virtual machines which had the functionality enabled, according to an advisory from VMware.
“Successful exploitation requires a CD image to be attached to the virtual machine,” the company added.
Reno Robert, a researcher with Trend Micro’s Zero Day Initiative, noted that a successful RCE would not give attackers control over the data written, which would limit the ways they could exploit the flaw.
VMware called on companies to disable or disconnect CD-ROM/DVD devices on virtual machines by accessing the vCenter Server system.