You’re an IT pro in a VMware shop. A malicious person, for example, gains access to one of your virtual machines via a compromised local admin account for that VM. Can it get worse? Oh yes, VMware has warned – they can escape onto the host.
In an advisory this week VMware has alerted users to a use-after-free() vulnerability in the XHCI USB controller in ESXi, Workstation, Cloud Foundation and Fusion critical status, with important flaws fixed in NSX Data Center as well.
The five key vulnerabilities were discovered during the Tianfu Cup 2021, a Chinese vulnerability competition, by the country’s Kunlun Lab. Bugs that Kunlun discovered were disclosed privately to VMware – though last year China passed a new law ordering security researchers to reveal findings to the country’s Ministry of Public Security at least two days before anyone else.
One of the vulnerabilities exists in ESXi 7’s VMX sandbox, introduced to prevent VM escapes by malicious people from gaining direct access to the hypervisor.
Nonetheless, the vendor said it hadn’t seen any evidence the competition’s findings had been exploited in the wild. Patches have been issued, now it’s up to admins to schedule them.
The vulnerabilities range from a use-after-free() to execute code on the host to an old-fashioned denial of service (DoS). The full list is:
- CVE-2021-22040, Use-after-free vulnerability in XHCI USB controller
- CVE-2021-22041, Double-fetch vulnerability in UHCI USB controller
- CVE-2021-22042, ESXi settingsd unauthorized access vulnerability
- CVE-2021-22043, ESXi settingsd TOCTOU vulnerability
- CVE-2021-22050, ESXi slow HTTP POST denial of service vulnerability (found by Russia’s SolidLab)
“The individual vulnerabilities documented on this VMSA have severity Important/Moderate but combining these issues may result in higher severity, hence the severity of this VMSA is at severity level Critical,” said VMware, using its internal term for a security advisory note.
The XHCI USB vuln can be exploited by a malicious person with administrative privileges in a virtual machine to execute code as the VM’s VMX process running on the host. If readers have a sense of deja-vu about this, that’s because an almost identically-described vuln was reported in 2020 and tracked as CVE-2020-4004.
As for the USB controller vuln, that is less clear-cut. VMware warned in an FAQ about the issue: “In short, patching VMware ESXi, Workstation, and Fusion are the fastest methods to resolve these issues. There is also a workaround: removing the USB controllers from virtual machines, though that may be infeasible at scale.” ®
Source link