VMware has patched a complete host of safety vulnerabilities affecting quite a lot of its key enterprise merchandise – and on condition that a number of the flaws are excessive in severity, and would enable malicious actors to execute code remotely, the corporate advises customers to use the patches instantly.
In accordance with VMware’s safety advisory, the corporate patched 4 vulnerabilities: CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255. These flaws have an effect on ESXi, Workstation, and Fusion merchandise.
The primary two are described as use-after-free flaws within the XHCI USB controller, affecting all three merchandise. For Workstation and Fusion, they carry a severity rating of 9.3, whereas for ESXi, it’s 8.4.
Workarounds out there
“A malicious actor with native administrative privileges on a digital machine might exploit this concern to execute code because the digital machine’s VMX course of operating on the host,” the corporate stated. “On ESXi, the exploitation is contained throughout the VMX sandbox whereas, on Workstation and Fusion, this will likely result in code execution on the machine the place Workstation or Fusion is put in.”
Different two flaws are described as an out-of-bounds write flaw in ESXi (severity rating 7.9), and an data disclosure vulnerability in UHCI USB controller (severity rating 7.9). These two could possibly be used to flee the sandbox and leak reminiscence from the vmx processes.
To verify their endpoints are safe, customers ought to carry the merchandise to those variations:
ESXi 6.5 – 6.5U3v
ESXi 6.7 – 6.7U3u
ESXi 7.0 – ESXi70U3p-23307199
ESXi 8.0 – ESXi80U2sb-23305545 and ESXi80U1d-23299997
VMware Cloud Basis (VCF) 3.x
Workstation 17.x – 17.5.1
Fusion 13.x (macOS) – 13.5.1
Those that are unable to use the patch instantly ought to take away all USB controllers from their digital machines, as a workaround measure.
“As well as, digital/emulated USB gadgets, resembling VMware digital USB stick or dongle, won’t be out there to be used by the digital machine,” the corporate stated. “In distinction, the default keyboard/mouse as enter gadgets are usually not affected as they’re, by default, not linked by means of USB protocol however have a driver that does software program system emulation within the visitor OS.
Through TheHackerNews