VMware patches critical flaws that could allow attackers to escape VMs

VMware has released fixes for several flaws that together could allow attackers to execute malicious code on the host system from inside a virtual machine, bypassing the critical isolation layer. Some of the flaws are in the virtualized USB controllers, so they impact most VMware hypervisors: VMware ESXi, VMware Workstation, VMware Fusion, and VMware Cloud Foundation.

Attacker groups have exploited vulnerabilities in VM products before, including to deploy ransomware. In January it was revealed that a Chinese cyberespionage group had been exploiting a critical remote code execution vulnerability in VMware vCenter Server for 18 months before it was patched in October last year.

Flaws in VMware USB controllers

The new security patches released this week address two use-after-free memory vulnerabilities in the UHCI USB and XHCI USB controllers — CVE-2024-22252 and CVE-2024-22253. These are the virtualized controllers that enable the use of USB devices inside VMware virtual machines. The flaws are both rated with 9.3 out of 10 on the CVSS severity scale.

“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” VMware said in its advisory. “On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.”

Despite the VMX being sandboxed on ESXi, this doesn’t completely limit the risk of remote code execution because of a third vulnerability that could allow attackers to escape the VMX sandbox. This is an out-of-bounds write vulnerability tracked as CVE-2024-22254 and rated with 7.9 severity.

A fourth information disclosure vulnerability (CVE-2024-22255) has also been patched in the UHCI USB controller. This flaw can be used to leak memory from the VMX process and is rated 7.1.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button