VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation products, allowing attackers to escape virtual machines and access the host operating system.
These types of flaws are critical as they could permit attackers to gain unauthorized access to the host system where a hypervisor is installed or access other virtual machines running on the same host, breaching their isolation.
The advisory outlines four vulnerabilities, tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255, with CVSS v3 scores ranging from 7.1 to 9.3, but all with a critical severity rating.
The four flaws can be summarized as follows:
- CVE-2024-22252 and CVE-2024-22253: Use-after free bugs in the XHCI and UHCI USB controllers (respectively), impacting Workstation/Fusion and ESXi. Exploitation requires local administrative privileges on a virtual machine and could allow an attacker to execute code as the VM's VMX process on the host. On Workstation and Fusion, this could lead to code execution on the host machine.
- CVE-2024-22254: Out-of-bounds write flaw in ESXi, allowing an attacker with VMX process privileges to write outside the pre-determined memory region (bounds), potentially leading to sandbox escape.
- CVE-2024-22255: Information disclosure problem in the UHCI USB controller impacting ESXi, Workstation, and Fusion. This vulnerability could allow a malicious actor with administrative access to a VM to leak memory from the VMX process.
Impacted version products and fixed versions are listed in the table below:
A practical workaround to mitigate CVE-2024-22252, CVE-2024-22253, and CVE-2024-22255 is to remove USB controllers from virtual machines following the instructions provided by the vendor. Note that this may impact keyboard, mouse, and USB stick connectivity in some configurations.
It is worth noting that VMware has made security fixes available for older ESXi versions (6.7U3u), 6.5 (6.5U3v), and VCF 3.x due to the vulnerabilities' severity.
Finally, the vendor published a FAQ to accompany the bulletin, emphasizing the importance of prompt patching and providing guidance on response planning and workaround/fix implementation for specific products and configurations.
VMware has neither observed nor received any reports indicating active exploitation of the four flaws. System admins are recommended to subscribe to the VMSA mailing list for proactive alerts in case the exploitation status changes.
Comments
ruslanp - 1 month ago
> Note that this may impact keyboard, mouse, and USB stick connectivity in some configurations.
from the vendor: "In contrast, the default keyboard/mouse as input devices are not affected as they are, by default, not connected through USB protocol but have a driver that does software device emulation in the guest OS."
Bill_Toulas - 1 month ago
And further down on the same page it reads:
"Certain guest operating systems, including Mac OS, do not support using a PS/2 mouse and keyboard. These guest operating systems will be left without a mouse and keyboard without a USB controller."
hence the "may impact [...] in some configurations"
h_b_s - 1 month ago
It's also possible to build the Linux kernel without legacy AT & PS/2 support. By default it's been an optional module since v. 3.13 back in 2014ish. Most distros include it in their generic initramfs for compatibility reasons, but I can think of any number of reasons why an admin may wish to exclude it from some environments even if it's not a low resource embedded system.
I don't know if the three main BSDs allow this exclusion, as I haven't looked in a very long time at manual customized kernels for them.