VMware Use-After-Free Vulnerabilities (CVE-2024-22252, CVE-2024-22253)
Fleury, Terry
CI Operators:
VMware has announced two critical vulnerabilities in VMware Workstation, Fusion, and ESXi [1]. These vulnerabilities have a CVSSv3 score of 9.3 for Workstation/Fusion and a score of 8.4 for ESXi, and are tracked as CVE-2024-22252 [2] and CVE-2024-22253 [3].
Impact:
Use-after-free vulnerabilities have been discovered in the XHCI USB controller (CVE-2024-22252) and UHCI USB controller (CVE-2024-22253). In both cases, a malicious actor with local administrative privileges on a virtual machine may exploit the issues to execute code as the virtual machine's VMX process running on the host. On ESXi, exploitation is contained within the VMX sandbox. On Workstation and Fusion, exploitation may lead to code execution on the machine where Workstation or Fusion is installed.
Affected Software:
- VMware Workstation v 17.x
- VMware Fusion v13.x
- VMware ESXi v7.0 and v8.0
Recommendation:
Update to the latest version of Workstation, Fusion, or ESXi for your installation [1]. As a temporary remediation, remove all USB controllers from the Virtual Machine [4].
References:
[1] https://www.vmware.com/security/advisories/VMSA-2024-0006.html
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-22252
[3] https://nvd.nist.gov/vuln/detail/CVE-2024-22253
[4] https://kb.vmware.com/s/article/96682
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.