VMware Releases Critical Security Patches for ESXi, Workstation, and Fusion Vulnerabilities Created

VMware Releases Critical Security Patches for ESXi, Workstation, and Fusion Vulnerabilities Created

VMware has issued critical security patches to address four vulnerabilities affecting its ESXi, Workstation, and Fusion products. Among these flaws, CVE-2024-22252 and CVE-2024-22253 are critical and identified as use-after-free bugs in the XHCI USB controller. These vulnerabilities could permit a local administrator on a virtual machine to execute code within the VMX process on the host, with a CVSS score of 9.3 for Workstation and Fusion and 8.4 for ESXi systems.

Additionally, VMware has patched CVE-2024-22254 and CVE-2024-22255, rated at 7.9 on the CVSS scale. CVE-2024-22254 involves an out-of-bounds write vulnerability in ESXi, potentially enabling a sandbox escape for a malicious actor with privileges within the VMX process. Meanwhile, CVE-2024-22255 denotes an information disclosure vulnerability in the UHCI USB controller, allowing an attacker with administrative access to a virtual machine to leak memory from the VMX process.

Affected Systems

-

IoC’s

-

Recommended Solution(s)

To mitigate these vulnerabilities until patches can be deployed, VMware recommends removing all USB controllers from affected virtual machines. This temporary measure ensures that virtual/emulated USB devices, such as VMware virtual USB sticks or dongles, are unavailable. However, default keyboard/mouse input devices remain unaffected, as they are not connected through USB protocol by default but have a driver facilitating software device emulation in the guest OS.

CVE / CWE

CVE-2024-22254 and CVE-2024-22255

Related Website(s)

• https://nvd.nist.gov/vuln/detail/CVE-2024-22254
• https://www.vmware.com/security/advisories/VMSA-2024-0006.html

* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.