VMware is unveiling patches for many security flaws, so update now
VMware has patched a slew of security issues affecting some of its key business products – and since some of the flaws are very serious and could allow malicious actors to execute code remotely, the company is advising users to apply the patches immediately .
According to VMware’s security advisory, the company has patched four vulnerabilities: CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255. These errors affect ESXi, Workstation, and Fusion products.
The first two are described as use-after-free errors in the XHCI USB controller, affecting all three products. For Workstation and Fusion they have a severity score of 9.3, while for ESXi it is 8.4.
Solutions available
“A malicious actor with local administrative rights on a virtual machine could exploit this issue to execute code while the virtual machine’s VMX process is running on the host,” the company said. “On ESXi, the exploitation takes place in the VMX sandbox, while on Workstation and Fusion it can result in code execution on the machine where Workstation or Fusion is installed.”
Other two flaws are described as an out-of-bounds write error in ESXi (severity score 7.9) and an information disclosure vulnerability in the UHCI USB controller (severity score 7.9). These two can be used to escape the sandbox and leak memory from the vmx processes.
To ensure that their endpoints are secure, users should update the products to these versions:
ESXi 6.5 – 6.5U3v
ESXi 6.7 – 6.7U3h
ESXi 7.0 – ESXi70U3p-23307199
ESXi 8.0 – ESXi80U2sb-23305545 and ESXi80U1d-23299997
VMware Cloud Foundation (VCF) 3.x
Workstation 17.x – 17.5.1
Fusion 13.x (macOS) – 13.5.1
Those who cannot immediately apply the patch should remove all USB controllers from their virtual machines as a workaround.
“Additionally, virtual/emulated USB devices, such as VMware’s virtual USB stick or dongle, will not be available for use by the virtual machine,” the company said. “In contrast, the standard keyboard/mouse input device is not affected because by default they are not connected via the USB protocol, but have a driver that performs software device emulation in the guest operating system.
Through The HackerNews