www.belgium.be Logo of the federal government

WARNING: VMWARE HAS DISCLOSED MULTIPLE CRITICAL VULNERABILITIES ALLOWING A SANDBOX ESCAPE. PATCH IMMEDIATELY!

Reference: 
Advisory #2024-37
Version: 
1.0
Affected software: 
VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Cloud Foundation (Cloud Foundation)
Type: 
Use-after-free; Out-of-bounds write; Information disclosure
CVE/CVSS: 

CVE-2024-22252: 9.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVE-2024-22253: 9.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVE-2024-22254: 7.9 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N) CVE-2024-22255: 7.1 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Sources

VMware: https://www.vmware.com/security/advisories/VMSA-2024-0006.html

Risks

VMware released multiple vulnerabilities that allow attackers to break out of sandbox and hypervisor protections in all versions, including out-of-support ones, of VMware ESXi, Workstation, Fusion, and Cloud Foundation products. In total, four vulnerabilities are released with two of them having a score of 9.3. The vulnerabilities are extremely serious because they undermine the fundamental purpose of the VMware products, which is to run sensitive operations inside a virtual machine that’s segmented from the host machine.

Description

CVE-2024-22252 is a use-after-free vulnerability in XHCI USB controller with a score of 9.3 for Workstation/Fusion and a base score of 8.4 for ESXi. A malicious actor with local administrative privileges on a virtual machine may exploit this vulnerability to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

CVE-2024-22253 is a use-after-free vulnerability in UHCI USB controller with a score of 9.3 for Workstation/Fusion and a base score of 8.4 for ESXi. Exploitation requirements and outcomes are the same as for CVE-2024-22252.

CVE-2024-22254 is an out-of-bounds write vulnerability with a score of 7.9. This vulnerability makes it possible for someone with privileges within the VMX process to trigger an out-of-bounds write, leading to a sandbox escape.

CVE-2024-22255 is an information disclosure vulnerability in the UHCI USB controller with a score of 7.1. A malicious actor with administrative access to a virtual machine can exploit it to leak memory from the vmx process.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Patches can be found in the VMware advisory: https://www.vmware.com/security/advisories/VMSA-2024-0006.html

As a workaround, users can remove USB controllers from vulnerable virtual machines, but Broadcom stressed that this measure could degrade virtual console functionality and should be viewed only as a temporary solution.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-22252

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-22252

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-22254

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-22255

Arstechnica: https://arstechnica.com/security/2024/03/vmware-issues-patches-for-critical-sandbox-escape-vulnerabilities/