Article Details

VMware urges emergency action to blunt hypervisor flaws. Critical vulns in USB under ESXi and desktop hypervisors found by Chinese researchers at cracking contest. Hypervisors are supposed to provide an inviolable isolation layer between virtual machines and hardware. But hypervisor heavyweight VMware by Broadcom yesterday revealed its hypervisors are not quite so inviolable as it might like. In a security advisory the Broadcom business unit warned of four flaws. The nastiest two – CVE-2024-22252 and 22253 – are rated 9.3/10 on VMware's Workstation and Fusion desktop hypervisors and 8.4 on the ESXi server hypervisor. The flaws earned those ratings as they mean a malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code outside the guest. On Workstation and Fusion that code will run on the host PC or Mac. Under ESXi it will run in the VMX process that encapsulates each guest VM. In an FAQ, VMware rated the two flaws an emergency change, as defined by the IT Infrastructure Library. Another vuln, CVE-2024-2225, is rated 7.1. Workarounds for the flaws even apply to vSphere 6.x – a now unsupported version of VMware's flagship server virtualization platform. Virtual USB controllers are the source of the problem for the three CVEs mentioned above. VMware's workaround for the flaw is removing them from VMs. Yet VMware's FAQ admits doing so "may not be feasible at scale" as "some supported operating systems require USB for keyboard & mouse access via the virtual console." Loss of USB passthrough functionality may be another unwanted consequence. The FAQ adds: "That said, most Windows and Linux versions support use of the virtual PS/2 mouse and keyboard," and removing unnecessary devices such as USB controllers is recommended as part of the security hardening guidance VMware publishes. Making matters worse, VMware also advised of CVE-2024-22254 – an out of bounds write vulnerability that could see a malicious actor with privileges within the VMX process trigger an out-of-bounds write, leading to an escape of the sandbox. Guest-host escapes are the worst-case virtualization incident. These look significant, but short of total takeovers of the hypervisor that would allow an attacker to control fleets of VMs. Interestingly, some of the flaws were discovered by researchers at 2023's Tianfu Cup Pwn Contest – China's equivalent of the Pwn2Own infosec attack-fest. VMware thanked contest participants Jiang YuHao, Ying XingLei & Zhang ZiMing of Team Ant Lab – an outfit affiliated with Alibaba – and VictorV & Wei of Team CyberAgent. Also thanked were Jiaqing Huang and Hao Zheng from the TianGong Team of Legendsec at Qi'anxin Group, as they found some of the flaws independently.