Vulnerabilities in VMware software expose it to remote execution of code by threat actors due to critical defects.
These are found in different parts of the virtualization platform, management interfaces, and other related tools making the flaw latent.
This can enable them to gain higher access levels thereby running malicious codes from afar on computers affected through successful exploitation.
Privately multiple vulnerabilities were reported to VMware recently in VMware ESXi, Workstation, and Fusion.
As a result, VMware patched the critical flaws in ESXi, Workstation, and Fusion after private disclosure. Combining multiple important vulnerabilities escalates severity.
Vulnerabilities
Here below we have mentioned all the vulnerabilities:-
- CVE-2024-22252 (CVSSv3 base score of 9.3): Use-after-free vulnerability in XHCI USB controller
- CVE-2024-22253 (CVSSv3 base score of 9.3): Use-after-free vulnerability in UHCI USB controller
- CVE-2024-22254 (CVSSv3 base score of 7.9): ESXi Out-of-bounds write vulnerability
- CVE-2024-22255 (CVSSv3 base score of 7.1): Information disclosure vulnerability in UHCI USB controller
Products Impacted
Here below we have mentioned all the products that are impacted:-
- VMware ESXi
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- VMware Cloud Foundation (Cloud Foundation)
The vulnerability (CVE-2024-22252) allows code execution from VM in VMware products. While the VMware XHCI USB flaw (CVE-2024-22253) is critical for Workstation/Fusion, but important for ESXi.
UHCI USB bug also impacts VMware products as well and enables code execution. Out-of-bounds write flaw (CVE-2024-22254) in ESXi risks VMX sandbox escape. Memory leak possible via UHCI USB flaw (CVE-2024-22255) across VMware lineup.
Broadcom released critical patches for severe vulnerabilities in ESXi 6.7, 6.5, and VCF 3.x. For ESXi 8.0 U1, additional patches are available. If not updating to ESXi 8.0 Update 2b, use 8.0 Update 1d for security fixes.