The vulnerabilities allow hackers to bypass sandbox and hypervisor protection. The problem is so critical that even end-of-life versions of ESXi, Workstation, Fusion, and Cloud Foundation are receiving a patch.
A total of four vulnerabilities are affected. The affected VMware solutions are designed to run sensitive operations in a virtual machine segmented from the host system. However, the vulnerabilities allow malicious actors to access the host system where the hypervisor is installed. They can also access multiple VMs on the host system. This circumvents the isolation.
The vulnerabilities have been given CVSS scores ranging from 7.1 to 9.3, though all are rated as critical. “In ITIL terms, this situation qualifies as an emergency change, necessitating prompt action from your organization. However, the appropriate security response varies depending on specific circumstances,” VMware said.
Tip: When is a critical vulnerability actually dangerous?
VMX process
Three of the vulnerabilities involve the USB controller used to support peripherals. Also central is the VMX process, which is used to communicate with interfaces and snapshot managers, for example.
The USB/VMX-related vulnerabilities are known as CVE-2024-22252, CVE-2024-22253 and CVE-2024-22255. The first two require local administrator privileges for a virtual machine, after which a hacker can execute code during the VMX process on the host. The third vulnerability allows malicious actors to gain administrator access to a virtual machine through a memory leak in the VMX process.
The fourth vulnerability has been identified with the number CVE-2024-22254. This vulnerability allows a person with privileges in the VMX process to trigger an out-of-bounds write, after which it escapes from the sandbox and further invades the system.
According to VMware, there is no indication yet that the four vulnerabilities have been actively exploited. However, the fact that even end-of-life versions are receiving a patch highlights the critical nature of the situation.
2 days ago
