Patch VMware vulnerabilities, admins urged

ESXi, Workstation Pro/Player, Fusion Pro/Fusion and Cloud Foundation affected

Systems administrators are being urged to patch or deploy workarounds for four vulnerabilities in VMware virtualisation software.

The vulnerabilities are found in VMware ESXi, VMware Workstation Pro/Player, VMware Fusion Pro/Fusion and VMware Cloud Foundation. Most affect USB controllers, and combined they can amount to a flaw with a "critical" rating.

VMware by Broadcom released an advisory for users of the affected systems.

CVE-2024-22252 and CVE-2024-22253 (CVSS score 9.3) are present in Workstation and Fusion hypervisors. Broadcom has released patches for these vulnerabilities and users can upgrade to fixed versions of affected software. There is also a workaround for those unable to patch immediately, at the cost of some functionality.

The bugs allow an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host. Potentially, this could allow code execution on the physical machine on which Workstation or Fusion is installed.

CVE-2024-22254 (rated 7.9) is an out-of-bounds write vulnerability in the bare netal hypervisor ESXi, which could allow an attacker with sufficient privileges to escape the sandbox.

Broadcom has also released patches for this glitch. There is no workaround.

Finally, CVE-2024-22255 is a vulnerability in VMware ESXi, Workstation and Fusion. Given a CVSS score of 7.1 by Broadcom, it is an information disclosure bug in the UHCI USB controller, via which an attacker could leak memory from the vmx process. Once again patches are available and users can upgrade to fixed versions of the software.

Broadcom has published workarounds for some of the vulnerabilities in the advisory, most of which involve removing USB controllers from VMs.