VMware Issues Security Patches for ESXi, Workstation, and Fusion Flaws

Bar Refael

March 7, 2024

VMware has released security patches to address four vulnerabilities in ESXi, Workstation, and Fusion. Two critical use-after-free vulnerabilities, CVE-2024-22252 and CVE-2024-22253, could lead to code execution. Additionally, an out-of-bounds write vulnerability (CVE-2024-22254) and an information disclosure vulnerability (CVE-2024-22255) have been patched.

Vulnerability Details:

  • CVE-2024-22252 and CVE-2024-22253:
    • Type: Use-after-free vulnerabilities in the XHCI USB controller.
    • Impact: Could lead to code execution as the virtual machine’s VMX process.
    • CVSS Score: 9.3 for Workstation and Fusion, 8.4 for ESXi.
    • Affected Products: ESXi, Workstation, Fusion.
  • CVE-2024-22254:
    • Type: Out-of-bounds write vulnerability in ESXi.
    • Impact: Could allow a malicious actor to trigger a sandbox escape.
    • CVSS Score: 7.9.
  • CVE-2024-22255:
    • Type: Information disclosure vulnerability in the UHCI USB controller.
    • Impact: Could allow an attacker to leak memory from the vmx process.
    • CVSS Score: 7.1.

Mitigation:

VMware has addressed these issues in the following versions:

  • ESXi 6.5 – 6.5U3v
  • ESXi 6.7 – 6.7U3u
  • ESXi 7.0 – ESXi70U3p-23307199
  • ESXi 8.0 – ESXi80U2sb-23305545 and ESXi80U1d-23299997
  • VMware Cloud Foundation (VCF) 3.x
  • Workstation 17.x – 17.5.1
  • Fusion 13.x (macOS) – 13.5.1

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion:

The patching of these vulnerabilities underscores the importance of regular software updates and the need for vigilance in securing virtualized environments. Organizations using affected VMware products should prioritize applying the security patches to protect their systems from potential exploitation.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Get OP Innovate CTI Alerts

Leave your email and get critical updates and alerts straight to your inbox