VMware has launched fixes for a number of flaws that collectively might permit attackers to execute malicious code on the host system from inside a digital machine, bypassing the vital isolation layer. A few of the flaws are within the virtualized USB controllers, in order that they impression most VMware hypervisors: VMware ESXi, VMware Workstation, VMware Fusion, and VMware Cloud Basis.
Attacker teams have exploited vulnerabilities in VM merchandise earlier than, together with to deploy ransomware. In January it was revealed {that a} Chinese language cyberespionage group had been exploiting a vital distant code execution vulnerability in VMware vCenter Server for 18 months earlier than it was patched in October final yr.
Flaws in VMware USB controllers
The brand new safety patches launched this week tackle two use-after-free reminiscence vulnerabilities within the UHCI USB and XHCI USB controllers — CVE-2024-22252 and CVE-2024-22253. These are the virtualized controllers that allow using USB units inside VMware digital machines. The failings are each rated with 9.3 out of 10 on the CVSS severity scale.
“A malicious actor with native administrative privileges on a digital machine might exploit this subject to execute code because the digital machine’s VMX course of operating on the host,” VMware mentioned in its advisory. “On ESXi, the exploitation is contained inside the VMX sandbox whereas, on Workstation and Fusion, this may occasionally result in code execution on the machine the place Workstation or Fusion is put in.”
Regardless of the VMX being sandboxed on ESXi, this doesn’t fully restrict the chance of distant code execution due to a 3rd vulnerability that would permit attackers to flee the VMX sandbox. That is an out-of-bounds write vulnerability tracked as CVE-2024-22254 and rated with 7.9 severity.
A fourth data disclosure vulnerability (CVE-2024-22255) has additionally been patched within the UHCI USB controller. This flaw can be utilized to leak reminiscence from the VMX course of and is rated 7.1.
