VMware Issues Critical Patches for ESXi, Workstation, Fusion, & Cloud Foundation

VMware has released urgent patches addressing multiple critical-severity vulnerabilities in ESXi, Workstation, Fusion, and Cloud Foundation. These flaws center around USB controllers and could allow attackers with local administrative privileges on a virtual machine to escape the virtualized environment and execute code on the underlying host.

Key Vulnerabilities & CVSS Scores

• CVE-2024-22252, CVE-2024-22253 (UHCI/XHCI USB Controller): Use-after-free flaws with CVSSv3 scores of 9.3 (Workstation/Fusion) and 8.4 (ESXi). Exploitation potential is greater on Workstation and Fusion. This vulnerability allows a malicious actor with local administrative privileges within a virtual machine to potentially execute code on the host system. The severity is higher on Workstation and Fusion, where exploitation leads to direct code execution on the machine itself. In ESXi, the attack is contained within the VMX sandbox.
• CVE-2024-22254 (ESXi): Out-of-bounds write vulnerability (CVSSv3 7.9). An attacker with access to the VMX process can trigger an out-of-bounds write error, potentially allowing them to break out of the sandbox environment.
• CVE-2024-22255 (UHCI USB Controller): Information disclosure vulnerability (CVSSv3 7.1). An attacker with administrative access to a virtual machine can exploit this issue to cause a memory leak in the vmx process, potentially exposing sensitive data.

Impact & Mitigation

• Successful exploitation could lead to:

  • Privilege escalation on the host system
  • Sensitive data compromise
  • Further compromise of the virtualized infrastructure (particularly severe for ESXi)

• Immediate Action: Apply the latest available patches from VMware. Consult their security advisory for specific instructions and impacted product versions.