Nynox advisory - Threat alert -

VMWare EXSi, Fusion, Workstation

– Date: 5 March 2024 –

Threat Alert – VMWare EXSi, Fusion, Workstation Multiple Vulnerabilities – VMWare customers should take immediate actions to patch their products. Read more below for details on the recent critical vulnerabilities.

On the 5th of March VMWare put out communication regarding four products who are vulnerable towards four critical vulnerabilities (CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255)

What’s going on?

⚠️ Multiple critical risk vulnerabilities have been published by VMWare for ESXi, Fusion and Workstation. Even including out-of-support versions.

⚠️ CVE-2024-22252 and CVE-2024-22253 are use-after-free vulnerabilities in XHCI and UHCI USB controllers, allowing local administrative actors to execute code on the host machine, with higher risk on Workstation/Fusion (score 9.3) than on ESXi (score 8.4).

⚠️ CVE-2024-22254 is an out-of-bounds write vulnerability (score 7.9) enabling privileged actors to escape the VMX process sandbox, and CVE-2024-22255 is an information disclosure vulnerability in the UHCI USB controller (score 7.1) that could be exploited to leak memory from the VMX process.

⚠️ The affected versions are:

  • ESXi 7.0, 8.0, 8.0 [2]
  • Workstation 17.x
  • Fusion 13.x
  • Cloud Foundation (ESXi) 4.x/5.x

❗Let’s attackers have free reign on the machine which hosts the VMWare products.

❗Could potentially expose sensitive information.

❗These vulnerabilities are not yet observed in the wild but this can change at any moment.

How does Nynox protect its customers?
🛡️ Personalized assistance to mitigate the risk

🛡️ 24×7 Incident Response (CSIRT)
🛡️ 24×7 monitoring of customer environments

✅ Patch to the latest version of each product

VMware ESXi 8.0 ESXi-8.0U2sb-23305545
– https://my.vmware.com/group/vmware/patch
– https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80u2b-release-notes/index.html

VMware ESXi 8.0 ESXi80U1d-23299997
– https://my.vmware.com/group/vmware/patch
– https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80u1d-release-notes/index.html

VMware ESXi 7.0 ESXi70U3p-23307199
– https://my.vmware.com/group/vmware/patch
– https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3p-release-notes/index.html

Workstation Pro 17.5.1
– https://customerconnect.vmware.com/downloads/info/slug/desktop_end_user_computing/vmware_workstation_pro/17_0
– https://docs.vmware.com/en/VMware-Workstation-Pro/17.5.1/rn/vmware-workstation-1751-pro-release-notes/index.html

Fusion 13.5.1
– https://customerconnect.vmware.com/en/downloads/info/slug/desktop_end_user_computing/vmware_fusion/13_0
– https://docs.vmware.com/en/VMware-Fusion/13.5.1/rn/vmware-fusion-1351-release-notes/index.html

VMware Cloud Foundation 5.x/4.x
– https://kb.vmware.com/s/article/88287

But what if oyu can’t? 

Remove all USB controllers from the Virtual Machine, disabling USB passthrough functionality, and rendering virtual USB devices inaccessible.

Default keyboard and mouse input devices remain unaffected because they operate independently of the USB protocol.

In need of assistent? We're here for you!
Our Latest insights