Article Details

VMware fixes critical sandbox escape flaws in ESXi, Workstation, and Fusion. VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation products, allowing attackers to escape virtual machines and access the host operating system. These types of flaws are critical as they could permit attackers to gain unauthorized access to the host system where a hypervisor is installed or access other virtual machines running on the same host, breaching their isolation. The advisory outlines four vulnerabilities, tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255, with CVSS v3 scores ranging from 7.1 to 9.3, but all with a critical severity rating. The four flaws can be summarized as follows: Impacted version products and fixed versions are listed in the table below: A practical workaround to mitigate CVE-2024-22252, CVE-2024-22253, and CVE-2024-22255 is to remove USB controllers from virtual machines following the instructions provided by the vendor. Note that this may impact keyboard, mouse, and USB stick connectivity in some configurations. It is worth noting that VMware has made security fixes available for older ESXi versions (6.7U3u), 6.5 (6.5U3v), and VCF 3.x due to the vulnerabilities' severity. Finally, the vendor published a FAQ to accompany the bulletin, emphasizing the importance of prompt patching and providing guidance on response planning and workaround/fix implementation for specific products and configurations. VMware has neither observed nor received any reports indicating active exploitation of the four flaws. System admins are recommended to subscribe to the VMSA mailing list for proactive alerts in case the exploitation status changes.