Nynox advisory - Threat alert -
VMWare EXSi, Fusion, Workstation
– Date: 5 March 2024 –
Threat Alert – VMWare EXSi, Fusion, Workstation Multiple Vulnerabilities – VMWare customers should take immediate actions to patch their products. Read more below for details on the recent critical vulnerabilities.
On the 5th of March VMWare put out communication regarding four products who are vulnerable towards four critical vulnerabilities (CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255)
What’s going on?
⚠️ Multiple critical risk vulnerabilities have been published by VMWare for ESXi, Fusion and Workstation. Even including out-of-support versions.
⚠️ CVE-2024-22252 and CVE-2024-22253 are use-after-free vulnerabilities in XHCI and UHCI USB controllers, allowing local administrative actors to execute code on the host machine, with higher risk on Workstation/Fusion (score 9.3) than on ESXi (score 8.4).
⚠️ CVE-2024-22254 is an out-of-bounds write vulnerability (score 7.9) enabling privileged actors to escape the VMX process sandbox, and CVE-2024-22255 is an information disclosure vulnerability in the UHCI USB controller (score 7.1) that could be exploited to leak memory from the VMX process.
⚠️ The affected versions are:
- ESXi 7.0, 8.0, 8.0 [2]
- Workstation 17.x
- Fusion 13.x
- Cloud Foundation (ESXi) 4.x/5.x
WHY IS THIS VULNERABILITY SERIOUS?
❗Let’s attackers have free reign on the machine which hosts the VMWare products.
❗Could potentially expose sensitive information.
❗These vulnerabilities are not yet observed in the wild but this can change at any moment.
How does Nynox protect its customers?
WHAT CAN YOU DO TO MITIGATE THE RISK?
✅ Patch to the latest version of each product
VMware ESXi 8.0 ESXi-8.0U2sb-23305545
– https://my.vmware.com/group/vmware/patch
– https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80u2b-release-notes/index.html
VMware ESXi 8.0 ESXi80U1d-23299997
– https://my.vmware.com/group/vmware/patch
– https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80u1d-release-notes/index.html
VMware ESXi 7.0 ESXi70U3p-23307199
– https://my.vmware.com/group/vmware/patch
– https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3p-release-notes/index.html
Workstation Pro 17.5.1
– https://customerconnect.vmware.com/downloads/info/slug/desktop_end_user_computing/vmware_workstation_pro/17_0
– https://docs.vmware.com/en/VMware-Workstation-Pro/17.5.1/rn/vmware-workstation-1751-pro-release-notes/index.html
Fusion 13.5.1
– https://customerconnect.vmware.com/en/downloads/info/slug/desktop_end_user_computing/vmware_fusion/13_0
– https://docs.vmware.com/en/VMware-Fusion/13.5.1/rn/vmware-fusion-1351-release-notes/index.html
VMware Cloud Foundation 5.x/4.x
– https://kb.vmware.com/s/article/88287
But what if oyu can’t?
✅ Remove all USB controllers from the Virtual Machine, disabling USB passthrough functionality, and rendering virtual USB devices inaccessible.
✅ Default keyboard and mouse input devices remain unaffected because they operate independently of the USB protocol.