Securing Your VMware Environment: A Deep Dive into VMSA-2024-0006

VMware has recently shed light on a slew of vulnerabilities hitting close to home for its mainline products: VMware ESXi, Workstation, Fusion, and Cloud Foundation. In this blog post, we’re diving deep into VMware Security Advisory VMSA-2024-0006, breaking down the vulnerabilities, understanding what they mean for you, and laying out exactly what you need to do to fix them.

Impacted Products

The advisory highlights vulnerabilities in several key VMware products:

  • VMware ESXi
  • VMware Workstation Pro / Player
  • VMware Fusion Pro / Fusion
  • VMware Cloud Foundation

These products are integral to many IT environments, underlining the importance of addressing the advisory with urgency.

Vulnerability Overview

The disclosed vulnerabilities were privately reported to VMware and encompass both use-after-free issues in the XHCI and UHCI USB controllers, as well as an out-of-bounds write vulnerability in VMware ESXi. Additionally, an information disclosure vulnerability was found in the UHCI USB controller. These vulnerabilities pose a significant risk, as they could potentially allow a malicious actor with local administrative privileges to execute code on the host system.

Critical Vulnerabilities:

  • CVE-2024-22252 & CVE-2024-22253: Both vulnerabilities are classified under the critical severity category, with a CVSSv3 base score of 9.3 for Workstation and Fusion, and 8.4 for ESXi. These use-after-free vulnerabilities in the XHCI and UHCI USB controllers could allow for unauthorized code execution.
  • CVE-2024-22254: This out-of-bounds write vulnerability in ESXi has been assessed as important, with a CVSSv3 base score of 7.9. It could enable sandbox escape and unauthorized code execution within the VMX process.
  • CVE-2024-22255: Rated as important with a CVSSv3 base score of 7.1, this information disclosure vulnerability in the UHCI USB controller could lead to memory leakage from the vmx process.

Mitigation and Remediation

VMware has promptly released patches for the affected products, and it is highly recommended for administrators to apply these fixes without delay. The response matrix provided by VMware offers detailed guidance on the fixed versions and available workarounds. For environments where immediate patching is not feasible, VMware has also listed potential workarounds to mitigate the risk temporarily.

Response Matrix:

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed Version [1]WorkaroundsAdditional Documentation
ESXi8.0AnyCVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-222558.4, 8.4, 7.9, 7.1Critical ESXi80U2sb-23305545KB96682FAQ
ESXi8.0 [2]AnyCVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-222558.4, 8.4, 7.9, 7.1Critical ESXi80U1d-23299997KB96682FAQ
ESXi7.0AnyCVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-222558.4, 8.4, 7.9, 7.1Critical ESXi70U3p-23307199KB96682FAQ
Workstation17.xAnyCVE-2024-22252, CVE-2024-22253, CVE-2024-222559.3, 9.3, 7.1Critical 17.5.1KB96682None.
Fusion13.xMacOSCVE-2024-22252, CVE-2024-22253, CVE-2024-222559.3, 9.3, 7.1Critical 13.5.1KB96682None

[1] While Broadcom does not mention end-of-life products in the Security Advisories, due to the critical severity of these vulnerabilities Broadcom has made a patch available to customers with extended support for ESXi 6.7 (6.7U3u), 6.5 (6.5U3v) and VCF 3.x.

[2] Because of the severity of these issues, Broadcom has made additional patches available for ESXi 8.0 U1. If you do not plan to update your environment to ESXi 8.0 Update 2b (build # 23305546), use 8.0 Update 1d to update your ESXi hosts of version 8.0 Update 1c (build # 22088125) and earlier for these security fixes. The supported update path from 8.0 Update 1d is to ESXi 8.0 Update 2b or later. For more information, see the Product Interoperability Matrix.

Impacted Product Suites that Deploy Response Matrix Components:

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
Cloud Foundation (ESXi)5.x/4.xAnyCVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-222558.4, 8.4, 7.9, 7.1Critical KB88287KB96682FAQ

🔥Subscribe to the channel: https://bit.ly/3vY16CT🔥

🚨Read my blog: https://angrysysops.com/

👊Twitter: https://twitter.com/AngrySysOps
👊Facebook: https://www.facebook.com/AngrySysOps
👊My Podcast: https://bit.ly/39fFnxm
👊Mastodon: https://techhub.social/@AngryAdmin

Please leave the comment