VMware has issued an urgent security advisory addressing multiple critical vulnerabilities that could allow attackers to break out of virtual machine (VM) environments and access the underlying host operating system. These vulnerabilities, rated with severity scores ranging from 7.1 to 9.3, affect several VMware products, including the ESXi hypervisor, Workstation virtualization software, Fusion for macOS, and Cloud Foundation.
The flaws, tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255, reside in the USB controller components responsible for managing peripheral devices within virtual machines. Successful exploitation could lead to a complete compromise of the host system, undermining the fundamental isolation and security guarantees provided by virtualization technologies.
Two of the most severe vulnerabilities, CVE-2024-22252 and CVE-2024-22253, are use-after-free bugs within the XHCI and UHCI USB controllers, respectively. These flaws could allow an attacker with local administrative privileges on a guest VM to execute malicious code within the VMX process running on the host. On Workstation and Fusion, this could further escalate to complete code execution on the host machine itself.
Additionally, CVE-2024-22254 is an out-of-bounds write vulnerability in ESXi that could enable an attacker with VMX process privileges to write data outside the intended memory boundaries, potentially leading to a sandbox escape and host system compromise.
The final vulnerability, CVE-2024-22255, is an information disclosure flaw in the UHCI USB controller that could allow a malicious actor with administrative access to a VM to leak sensitive memory data from the VMX process.
While there are currently no reports of active exploitation attempts, VMware and its parent company Broadcom have urged customers to promptly apply the available security updates to mitigate the risk of potential attacks leveraging these critical vulnerabilities. The patches cover various versions of ESXi, Workstation, Fusion, and Cloud Foundation products, with updates even being released for older, out-of-support versions due to the severity of the issues.
- ESXi 6.5 - 6.5U3v
- ESXi 6.7 - 6.7U3u
- ESXi 7.0 - ESXi70U3p-23307199
- ESXi 8.0 - ESXi80U2sb-23305545 and ESXi80U1d-23299997
- VMware Cloud Foundation (VCF) 3.x
- Workstation 17.x - 17.5.1
- Fusion 13.x (macOS) - 13.5.1
As a temporary workaround, users can remove USB controllers from vulnerable virtual machines, but this may impact functionalities such as virtual console access, keyboard, mouse, and USB device support. VMware has emphasized that this workaround should be considered a short-term measure and recommends deploying the official patches as soon as possible.
To help answer questions, VMware also published a Q&A.
Organizations and individuals running affected VMware products are advised to prioritize the installation of these critical updates across their infrastructure to safeguard against potential exploitation attempts and maintain the integrity of their virtualized environments.