VMware patches against sandbox escape

VMware has issued a patch for two critical vulnerabilities in its Fusion and Workstation software.

The company’s advisory said the vulnerabilities also affect its ESXi systems to a lesser degree, rated there as high severity.

The first vulnerability, CVE-2024-22252, is a use-after-free memory bug in the extensible host controller (XHCI) USB controller.

A malicious attacker with local admin privileges on a VM can execute code as the VMX process on the host. On the Workstation and Fusion products, it can lead to code execution, but on ESXi it’s contained within the VMX sandbox.

CVE-2024-22253 is also a use-after-free, this time in the universal host controller interface (UHCI) USB controller, providing the same attack paths as CVE-2024-22252.

These two bugs were discovered by attack teams taking part in the 2023 Tianfu Cup cyber security contest.

A third vulnerability, CVE-2024-22254, is an out-of-bounds write affecting only ESXi and rated of moderate severity.

Finally, CVE-2024-22255 (also moderate severity) is an information disclosure vulnerability in the UHCI USB controller in ESXi, Fusion, and Workstation.

“A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox”, the advisory stated.

In an FAQ, VMware explained that while patching is the quickest way to resolve the issues, users could also mitigate issues by removing USB controllers from virtual machines.

VMware also said the bug affects out-of-support vSphere 6.x software.