VMware Fixes Heap Overflow Bug

VMware released security updates to address a heap-overflow vulnerability, tracked as CVE-2021-22045, in its Workstation, Fusion and ESXi products. VMware has addressed the vulnerability with the release of ESXi670-202111101-SG, ESXi650-202110101-SG, Workstation 16.2.0, and Fusion 12.2.0.

The security vulnerability exists in the CD-ROM device emulation function of the above products. An attacker with access to a virtual machine that has CD-ROM device emulation enabled can chain this vulnerability with other flaws to execute code on the hypervisor from a virtual machine.

A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine.

The vulnerability was privately reported to VMware and received a CVSS score of 7.7. The virtualization giant also provided mitigation for this issue that consists of disabling or disconnecting the CD-ROM/DVD devices on all running virtual machines.

Below is the step-by-step procedure:

1) Log in to a vCenter Server system using the vSphere Web Client.
2) Right-click the virtual machine and click Edit Settings.
3) Select the CD/DVD drive and uncheck “Connected” and “Connect at power on” and remove any attached ISOs.

The following command will list all VMs with a connected device

Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Select Parent

To remove and disconnect an attached CD-ROM/DVD device, run the command below

Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Set-CDDrive -NoMedia -confirm:$false

Affected products are Workstation 16.x, and Fusion 12.x, ESXi 6.5, 6.7, and 7 versions, and VMware Cloud Foundation. It’s recommended to apply the security updates as soon as possible.