VMware has released fixes for several flaws that together could allow attackers to execute malicious code on the host system from inside a virtual machine, bypassing the critical isolation layer. Some of the flaws are in the virtualized USB controllers, so they impact most VMware hypervisors: VMware ESXi, VMware Workstation, VMware Fusion, and VMware Cloud Foundation.
Attacker groups have exploited vulnerabilities in VM products before, including to deploy ransomware. In January it was revealed that a Chinese cyberespionage group had been exploiting a critical remote code execution vulnerability in VMware vCenter Server for 18 months before it was patched in October last year.
Flaws in VMware USB controllers
The new security patches released this week address two use-after-free memory vulnerabilities in the UHCI USB and XHCI USB controllers — CVE-2024-22252 and CVE-2024-22253. These are the virtualized controllers that enable the use of USB devices inside VMware virtual machines. The flaws are both rated with 9.3 out of 10 on the CVSS severity scale.
“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” VMware said in its advisory. “On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.”
Despite the VMX being sandboxed on ESXi, this doesn’t completely limit the risk of remote code execution because of a third vulnerability that could allow attackers to escape the VMX sandbox. This is an out-of-bounds write vulnerability tracked as CVE-2024-22254 and rated with 7.9 severity.
A fourth information disclosure vulnerability (CVE-2024-22255) has also been patched in the UHCI USB controller. This flaw can be used to leak memory from the VMX process and is rated 7.1.
How to mitigate the VMware flaws
VMware is not aware of these flaws being exploited in the wild, but given attackers’ proven interest in targeting virtual machines and VMware products in the past, it is possible that exploits for these flaws will become available soon. Users are encouraged to deploy the available patches as soon as possible, but if they can’t for some reason, one workaround is to remove the USB controller from virtual machines in the meantime. However, this will impact the virtual machine console functionality as some operating systems require USB for keyboard and mouse access through the virtual console. USB passthrough functionality, where USB devices connected to the host are shared with the virtual machine, will also be lost.
“That said, most Windows and Linux versions support use of the virtual PS/2 mouse and keyboard, and removing unnecessary devices such as USB controllers is recommended as part of the security hardening guidance VMware publishes,” the company said in a FAQ document associated with the advisory.
In addition to patches for the supported versions of the impacted products, VMware also provided a patch for older versions that are only available to customers with extended support contracts: ESXi 6.7 (6.7U3u), 6.5 (6.5U3v) and VCF 3.x.