VMware on March 5 issued patches for a pair of flaws they rated as “critical” and in the “important” severity range for VMware ESXi, Workstation, and Fusion.
VMware explained in an advisory to its customers that ESXi, Workstation, and Fusion contain a “use-after-free” vulnerability in the XHCI USB controller filed with NIST as CVE-2024-22252.
VMware evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.3 for Workstation/Fusion, and in the important severity range with a maximum CVSSv3 base score of 8.4 for ESXi. A second flaw — CVE-2024-22253 — was given the same set of CVSSv3 scores by VMware.
In both cases, VMware said a malicious actor with local administrative privileges on a virtual machine may exploit these issues to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation has been contained within the VMX Sandbox, while on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
The vendor also fixed an “important-severity” out-of-bounds flaw — CVE-2024-22254 in ESXi, which could let a threat actor with privileges within the VMX process to trigger an out-of-bounds write, potentially leading to a sandbox escape if exploited.
And finally, the VMware patched an “important-severity” information disclosure bug in the UHCI USB controller, CVE-2024-22255. This flaw could let attackers leak memory from the VMX process, but they would need administrative access to a virtual machine.
VMware issued updates to these vulnerabilities for all the affected products.
VMware's broad use a cause for concern
With estimates that suggest millions of organizations and every Fortune 500 company using its virtualization products, the popularity of VMware makes the recent discovery of critical vulnerabilities CVE-2024-22252 and CVE-2024-22253 a cause for significant concern, said Sarah Jones, cyber threat intelligence research analyst at Critical Start. Jones said these flaws are classified as critical because they can be exploited with relative ease and have the potential to cause severe damage.
“An attacker who already has local administrative privileges on a virtual machine could potentially leverage these vulnerabilities to bypass security measures designed to isolate virtual machines from the underlying physical system,” explained Jones. “This successful exploitation could grant them unauthorized access to the host machine itself. Once inside the host system, attackers could steal sensitive data stored there, disrupt critical operations by manipulating or deleting files, or even use the compromised host as a launchpad to move laterally and attack other systems within the network.”
Jones added while patching these vulnerabilities is paramount, it's important to acknowledge that the patching process itself can be disruptive. Applying security patches may require taking critical systems offline for a period of time, potentially impacting business continuity, said Jones.
“Additionally, some temporary workarounds, such as removing USB controllers from virtual machines, might have limitations or create unintended consequences, however, the potential consequences of not patching these vulnerabilities far outweigh the challenges associated with patching,” said Jones.
