VMware is urging customers to patch critical vulnerabilities that make it possible for hackers to break out of sandbox and hypervisor protections in all versions, including out-of-support ones, of VMware ESXi, Workstation, Fusion, and Cloud Foundation products.
In total four vulnerabilities, two of them has a severity ratings of 9.3. Three of the vulnerabilities affect the USB controller the products use to support peripheral devices such as keyboards and mice.
The advisory describes the vulnerabilities as:
CVE-2024-22252: a use-after-free vulnerability in XHCI USB controller with a base score of 9.3 for Workstation/Fusion and a base score of 8.4 for ESXi. Someone with local administrative privileges on a virtual machine can execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox, whereas, on Workstation and Fusion, this could lead to code execution on the machine where Workstation or Fusion is installed.
CVE-2024-22253: a use-after-free vulnerability in UHCI USB controller with base score of 9.3 for Workstation/Fusion and a base score of 8.4 for ESXi. Exploitation requirements and outcomes are the same as for CVE-2024-22252.
CVE-2024-22254: an out-of-bounds write vulnerability with a base score of 7.9. This vulnerability makes it possible for someone with privileges within the VMX process to trigger an out-of-bounds write, leading to a sandbox escape.
CVE-2024-22255: an information disclosure vulnerability in the UHCI USB controller with a base score of 7.1. Someone with administrative access to a virtual machine can exploit it to leak memory from the vmx process.
Broadcom is urging customers to patch vulnerable products. As a workaround, users can remove USB controllers from vulnerable virtual machines, but Broadcom stressed that this measure could degrade virtual console functionality and should be viewed as only a temporary solution.
