VMware forced to patch dangerous vulnerabilities in discontinued products

Facepalm: VM hypervisors are designed to isolate a guest operating system from the host. Nothing should escape the VM's insulated environment, but hackers can theoretically exploit these recently discovered security flaws in VMware products to do just that.

VMware has released a new security advisory addressing four critical vulnerabilities discovered in its virtualization products. These vulnerabilities pose a risk of escaping the self-contained environment of a virtual machine, potentially enabling malicious actions on the host system. Updates and patches are already available, including for products that Broadcom, VMware's new owner, has decided to discontinue.

According to VMware's advisory, the security flaws affect ESXi, Workstation Pro/Player, Fusion Pro/Fusion, and Cloud Foundation. Broadcom recently confirmed the discontinuation of ESXi, a free type-1 hypervisor developed for homelab enthusiasts, but support for paid products is still available until the end of contract obligations.

The individual ESXi flaws outlined in the advisory have an "important" severity level, as stated by VMware. However, skilled hackers could combine them to achieve a "critical" impact on vulnerable products. The initial issue is a use-after-free vulnerability found in VMware's XHCI USB controller (CVE-2024-22252), a bug that a malicious actor with local VM admin privileges could exploit to execute code as the VMX process running on the host. On Workstation and Fusion desktop (type-2) hypervisors, this exploitation could result in code execution on the host operating system.

The second issue is a use-after-free vulnerability in VMware's UHCI USB controller (CVE-2024-22253). Cyber-criminals could exploit the bug to achieve exactly the same results as CVE-2024-22252, with malicious code execution on the host. The third flaw is an out-of-bounds write vulnerability in ESXi (CVE-2024-22254), an "important" issue that may trigger a sandbox escape.

Lastly, an information disclosure vulnerability in UHCI USB controller (CVE-2024-22255) could be exploited to leak memory content from the VMX process outside the virtual machine. VMware has already released patches and updated versions of its VM tools to properly address the four security bugs discovered by security experts.

If updates cannot be installed right away, the company is also providing instructions for an effective workaround that would make exploiting the vulnerabilities pointless. Users and system administrators can remove all USB controllers from their virtual machines, disabling the VM's USB passthrough functionality. Guest operating systems that don't support PS/2 mouse and keyboard drivers (like macOS) would also be left without mouse or keyboard input, however.