VMSA-2024-0006

VMware Security Advisory

Critical

Advisory ID:
VMSA-2024-0006.1

CVSSv3 Range:
7.1-9.3

Issue Date:
2024-03-05

Updated On:
2024-03-05

CVE(s):
CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255

Synopsis:
VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities (CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255)

1. Impacted Products

VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Cloud Foundation (Cloud Foundation)

2. Introduction

Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
The individual vulnerabilities documented on this VMSA for ESXi have severity Important but combining these issues will result in Critical severity.

3a. Use-after-free vulnerability in XHCI USB controller (CVE-2024-22252)

Description

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3 for Workstation/Fusion and in the Important severity range with a maximum CVSSv3 base score of 8.4 for ESXi.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

Resolution

To remediate CVE-2024-22252 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds

Workarounds for CVE-2024-22252 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

Additional Documentation

A supplemental FAQ was created for clarification. Please see: https://core.vmware.com/resource/vmsa-2024-0006-questions-answers

Notes

None.

Acknowledgements

VMware would like to thank Jiang YuHao, Ying XingLei & Zhang ZiMing of Team Ant Lab working with the 2023 Tianfu Cup Pwn Contest and Jiaqing Huang (@s0duku) & Hao Zheng (@zhz) from TianGong Team of Legendsec at Qi’anxin Group for independently reporting this issue to us.

3b. Use-after-free vulnerability in UHCI USB controller (CVE-2024-22253)

Description

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the UHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3 for Workstation/Fusion and in the Important severity range with a maximum CVSSv3 base score of 8.4 for ESXi.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

Resolution

To remediate CVE-2024-22253 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds

Workarounds for CVE-2024-22253 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

Additional Documentation

A supplemental FAQ was created for clarification. Please see: https://core.vmware.com/resource/vmsa-2024-0006-questions-answers

Notes

None.

Acknowledgements

VMware would like to thank VictorV and Wei of Team CyberAgent working with the 2023 Tianfu Cup Pwn Contest for reporting this issue to us.

3c. ESXi Out-of-bounds write vulnerability (CVE-2024-22254)

Description

VMware ESXi contains an out-of-bounds write vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.9.

Known Attack Vectors

A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox.

Resolution

To remediate CVE-2024-22254 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds

None.

Additional Documentation

A supplemental FAQ was created for clarification. Please see: https://core.vmware.com/resource/vmsa-2024-0006-questions-answers

Notes

None.

Acknowledgements

VMware would like to thank Jiang YuHao, Ying XingLei & Zhang ZiMing of Team Ant Lab working with the 2023 Tianfu Cup Pwn Contest for reporting this issue to us.

3d. Information disclosure vulnerability in UHCI USB controller (CVE-2024-22255)

Description

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability in the UHCI USB controller. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors

A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process.  

Resolution

To remediate CVE-2024-22255 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds

Workarounds for CVE-2024-22255 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

Additional Documentation

A supplemental FAQ was created for clarification. Please see: https://core.vmware.com/resource/vmsa-2024-0006-questions-answers

Notes

None.

Acknowledgements

VMware would like to thank VictorV & Wei of Team CyberAgent working with the 2023 Tianfu Cup Pwn Contest Contest and Jiaqing Huang (@s0duku) & Hao Zheng (@zhz) from TianGong Team of Legendsec at Qi’anxin Group for independently reporting this issue to us.

Response Matrix:

Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version [1]
Workarounds
Additional Documentation

ESXi

8.0

Any

CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255

8.4, 8.4, 7.9, 7.1

critical

ESXi80U2sb-23305545

KB96682

FAQ

ESXi

8.0 [2]

Any

CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255

8.4, 8.4, 7.9, 7.1

critical

ESXi80U1d-23299997

KB96682

FAQ

ESXi

7.0

Any

CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255

8.4, 8.4, 7.9, 7.1

critical

ESXi70U3p-23307199

KB96682

FAQ

Workstation

17.x

Any

CVE-2024-22252, CVE-2024-22253, CVE-2024-22255

9.3, 9.3, 7.1

critical

17.5.1

KB96682

None.

Fusion

13.x

MacOS

CVE-2024-22252, CVE-2024-22253, CVE-2024-22255

9.3, 9.3, 7.1

critical

13.5.1

KB96682

None

[1] While Broadcom does not mention end-of-life products in the Security Advisories, due to the critical severity of these vulnerabilities Broadcom has made a patch available to customers with extended support for ESXi 6.7 (6.7U3u), 6.5 (6.5U3v) and VCF 3.x.
[2] Because of the severity of these issues, Broadcom has made additional patches available for ESXi 8.0 U1. If you do not plan to update your environment to ESXi 8.0 Update 2b (build # 23305546), use 8.0 Update 1d to update your ESXi hosts of version 8.0 Update 1c (build # 22088125) and earlier for these security fixes. The supported update path from 8.0 Update 1d is to ESXi 8.0 Update 2b or later. For more information, see the Product Interoperability Matrix.

Impacted Product Suites that Deploy Response Matrix Components:

Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation

Cloud Foundation (ESXi)

5.x/4.x

Any

CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255

8.4, 8.4, 7.9, 7.1

critical

KB88287

KB96682

FAQ

4. References

VMware ESXi 8.0 ESXi-8.0U2sb-23305545 https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80u2b-release-notes/index.html
VMware ESXi 8.0 ESXi80U1d-23299997 https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80u1d-release-notes/index.html
VMware ESXi 7.0 ESXi70U3p-23307199 https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3p-release-notes/index.html
Workstation Pro 17.5.1 Downloads and Documentation https://customerconnect.vmware.com/downloads/info/slug/desktop_end_user_computing/vmware_workstation_pro/17_0 https://docs.vmware.com/en/VMware-Workstation-Pro/17.5.1/rn/vmware-workstation-1751-pro-release-notes/index.html
Fusion 13.5.1 Downloads and Documentation https://customerconnect.vmware.com/en/downloads/info/slug/desktop_end_user_computing/vmware_fusion/13_0 https://docs.vmware.com/en/VMware-Fusion/13.5.1/rn/vmware-fusion-1351-release-notes/index.html
VMware Cloud Foundation 5.x/4.x Downloads and Documentation: https://kb.vmware.com/s/article/88287
Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22252  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22253  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22254  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22255
FIRST CVSSv3 Calculator: CVE-2024-22252: ESXi: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Workstation/Fusion: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2024-22253:  ESXi: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Workstation/Fusion: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2024-22254: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N CVE-2024-22255: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

5. Change Log

2024-03-05 VMSA-2024-0006 Initial security advisory.
2024-03-05 VMSA-2024-0006.1 Corrected severity for ESXi and VCF in the response matrix.

6. Contact

E-mail: security@vmware.com
PGP key at: https://kb.vmware.com/kb/1055 
VMware Security Advisories https://www.vmware.com/security/advisories 
VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html 
VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html 
VMware Security & Compliance Blog   https://blogs.vmware.com/security 
Twitter https://twitter.com/VMwareSRC
 
Copyright 2024 Broadcom. All rights reserved.  

CLICK FOR MORE INFORMATION

Leave a Reply

Your email address will not be published. Required fields are marked *