1. Summary
| Vulnerability Name |
Use-after-free vulnerability in XHCI USB controller (CVE-2024-22252) |
|---|---|
| Release Date |
8 March, 2024 |
| Component Name |
XHCI USB controller |
| Affected Versions |
VMware ESXi 8.0 |
| Vulnerability Type |
Use-after-free vulnerability |
| Severity |
CVSS v3 Base Score: 7.1 – 9.3 (High to Critical) |
2. About the Vulnerabilities
2.1 Description of Affected Components
- VMware ESXi is an enterprise-grade server virtualization product that can be installed on physical servers. ESXi is a lightweight, efficient, easy-to-manage, secure, and scalable virtualization infrastructure that helps enterprises achieve optimal utilization and management of their server resources.
- VMware Workstation is a virtualization software that allows users to run multiple operating systems simultaneously on a single physical machine for development, testing, and deployment purposes.
- VMware Fusion is a virtualization software for Mac users, enabling them to run Windows and other operating systems alongside macOS without rebooting, ideal for development and testing.
- The VMware XHCI USB controller Is a virtual USB controller that supports USB 3.0 devices in VMware virtual machines.
- The VMware UHCI USB controller is a virtual USB controller that supports USB 1.1 devices, enabling their use in VMware virtual machines for legacy device compatibility and integration.
2.2 Description of Vulnerabilities
On March 8, 2024, Sangfor FarSight Labs received notification of four vulnerabilities in VMware products, ranging from high to critical severity. The following table provides an overview of these vulnerabilities.
| No. | Vulnerability Name | Affected Versions | Severity Level |
|---|---|---|---|
| 1 | Use-after-free vulnerability in XHCI USB controller (CVE-2024-22252) | ESXi 8.0, ESXi 7.0, Workstation 17.x, Fusion 13.x (MacOS), and Cloud Foundation (ESXi) 5.x/4.x | ESXi: High (CVSS Score 8.4) Workstation/Fusion: Critical (CVSS Score 9.3) |
| 2 | Use-after-free vulnerability in UHCI USB controller (CVE-2024-22253) | ESXi 8.0, ESXi 7.0, Workstation 17.x, Fusion 13.x (MacOS), and Cloud Foundation (ESXi) 5.x/4.x | ESXi: High (CVSS Score 8.4) Workstation/Fusion: Critical (CVSS Score 9.3) |
| 3 | Out-of-bounds write vulnerability in VMware ESXi (CVE-2024-22254) | ESXi 8.0, ESXi 7.0 | High (CVSS Score 7.9) |
| 4 | Information disclosure vulnerability in UHCI USB controller (CVE-2024-22255) | ESXi 8.0, ESXi 7.0, Workstation 17.x, Fusion 13.x (MacOS), and Cloud Foundation (ESXi) 5.x/4.x | High (CVSS Score 7.1) |
Use-after-free vulnerability in XHCI USB controller (CVE-2024-22252)
A use-after-free vulnerability was found in the XHCI USB controller, affecting VMware ESXi, Workstation, and Fusion. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
Use-after-free vulnerability in UHCI USB controller (CVE-2024-22253)
A use-after-free vulnerability was found in the UHCI USB controller, affecting VMware ESXi, Workstation, and Fusion. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
Out-of-bounds write vulnerability in VMware ESXi (CVE-2024-22254)
An out-of-bounds write vulnerability was found in VMware ESXi. A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox.
Information disclosure vulnerability in UHCI USB controller (CVE-2024-22255)
An information disclosure vulnerability was found in the UHCI USB controller, affecting VMware ESXi, Workstation, and Fusion. A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the VMX process.
3. Affected Versions
VMware ESXi 8.0
VMware ESXi 7.0
VMware Workstation 17.x
VMware Fusion 13.x (MacOS)
VMware Cloud Foundation (ESXi) 5.x/4.x
4. Solutions
4.1 Remediation Solutions
4.1.1 Official Solution
VMware has released patches for affected versions to fix these vulnerabilities, and affected users are recommended to download the corresponding patches from the following link: https://www.vmware.com/security/advisories/VMSA-2024-0006.html
5. Timeline
On March 8, 2024, Sangfor FarSight Labs received notification of multiple vulnerabilities in VMware products.
On March 8, 2024, Sangfor FarSight Labs released a vulnerability alert.
6. References
https://www.vmware.com/security/advisories/VMSA-2024-0006.html
7. About Sangfor FarSight Labs
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
