VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation products, allowing attackers to escape virtual machines and access the host operating system.
These types of flaws are critical as they could permit attackers to gain unauthorized access to the host system where a hypervisor is installed or access other virtual machines running on the same host, breaching their isolation.
The advisory outlines four vulnerabilities, tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255, with CVSS v3 scores ranging from 7.1 to 9.3, but all with a critical severity rating.
The four flaws can be summarized as follows:
- CVE-2024-22252 and CVE-2024-22253: Use-after free bugs in the XHCI and UHCI USB controllers (respectively), impacting Workstation/Fusion and ESXi. Exploitation requires local administrative privileges on a virtual machine and could allow an attacker to execute code as the VM’s VMX process on the host. On Workstation and Fusion, this could lead to code execution on the host machine.
- CVE-2024-22254: Out-of-bounds write flaw in ESXi, allowing an attacker with VMX process privileges to write outside the pre-determined memory region (bounds), potentially leading to sandbox escape.
- CVE-2024-22255: Information disclosure problem in the UHCI USB controller impacting ESXi, Workstation, and Fusion. This vulnerability could allow a malicious actor with administrative access to a VM to leak memory from the VMX process.
Impacted version products and fixed versions are listed in the table below:
A practical workaround to mitigate CVE-2024-22252, CVE-2024-22253, and CVE-2024-22255 is to remove USB controllers from virtual machines following the instructions provided by the vendor. Note that this may impact keyboard, mouse, and USB stick connectivity in some configurations.
It is worth noting that VMware has made security fixes available for older ESXi versions (6.7U3u), 6.5 (6.5U3v), and VCF 3.x due to the vulnerabilities’ severity.
Finally, the vendor published a FAQ to accompany the bulletin, emphasizing the importance of prompt patching and providing guidance on response planning and workaround/fix implementation for specific products and configurations.
VMware has neither observed nor received any reports indicating active exploitation of the four flaws. System admins are recommended to subscribe to the VMSA mailing list for proactive alerts in case the exploitation status changes.
