Home Security VMware Issues Security Patches for ESXi, Workstation, and Fusion Flaws

VMware Issues Security Patches for ESXi, Workstation, and Fusion Flaws

by crpt os


Mar 06, 2024NewsroomSoftware Security / Vulnerability

VMware has released patches to address four security flaws impacting ESXi, Workstation, and Fusion, including two critical flaws that could lead to code execution.

Tracked as CVE-2024-22252 and CVE-2024-22253, the vulnerabilities have been described as use-after-free bugs in the XHCI USB controller. They carry a CVSS score of 9.3 for Workstation and Fusion, and 8.4 for ESXi systems.

“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” the company said in a new advisory.

“On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.”

Multiple security researchers associated with the Ant Group Light-Year Security Lab and QiAnXin have been credited with independently discovering and reporting CVE-2024-22252. Security researchers VictorV and Wei have been acknowledged for reporting CVE-2024-22253.

Cybersecurity

Also patched by the Broadcom-owned virtualization services provider are two other shortcomings –

  • CVE-2024-22254 (CVSS score: 7.9) – An out-of-bounds write vulnerability in ESXi that a malicious actor with privileges within the VMX process could exploit to trigger a sandbox escape.
  • CVE-2024-22255 (CVSS score: 7.1) – An information disclosure vulnerability in the UHCI USB controller that an attacker with administrative access to a virtual machine may exploit to leak memory from the vmx process.

The issues have been addressed in the following versions, including those that have reached end-of-life (EoL) due to the severity of these issues –

Cybersecurity

As a temporary workaround until a patch can be deployed, customers have been asked to remove all USB controllers from the virtual machine.

“In addition, virtual/emulated USB devices, such as VMware virtual USB stick or dongle, will not be available for use by the virtual machine,” the company said. “In contrast, the default keyboard/mouse as input devices are not affected as they are, by default, not connected through USB protocol but have a driver that does software device emulation in the guest OS.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex