Critical Vulnerabilities in VMware Products

Published on 07 Mar 2024

VMware has released security updates addressing two critical vulnerabilities (CVE-2024-22252 and CVE-2024-22253) in their ESXi, Workstation, Fusion, and Cloud Foundation products.

The vulnerabilities are:

  • CVE-2024-22252 – A use-after-free vulnerability in the XHCI USB controller may allow an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine’s VMX process runs on the host.
  • CVE-2024-22253 – A use-after-free vulnerability in the UHCI USB controller may allow an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine’s VMX process runs on the host.

On VMware ESXi, successful exploitation of the vulnerabilities is contained within the VMX sandbox. However, on VMware Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

The vulnerabilities affect the following products:

  • VMware ESXi
  • VMware Workstation Pro / Player
  • VMware Fusion Pro / Fusion
  • VMware Cloud Foundation

Users and administrators of the affected products are advised to update to the latest versions immediately.

Users and administrators who are unable to update their affected products immediately are advised to remove all USB controllers from the Virtual Machine as a workaround.

More information is available here:

https://www.vmware.com/security/advisories/VMSA-2024-0006.html

https://kb.vmware.com/s/article/96682

https://www.securityweek.com/vmware-patches-critical-esxi-sandbox-escape-flaws/

Tags
Alerts Alerts & Advisories
Share