March 5, 2024 at 02:12PM
VMware issued critical patches for multiple high-severity vulnerabilities in ESXi, Workstation, Fusion, and Cloud Foundation products. The flaws could allow code execution on the host machine and escape sandbox mitigations. Two bugs hold a severity score of 9.3, leading VMware to patch even end-of-life products due to the increased risk. Exploits for these vulnerabilities have been confirmed.
Based on the meeting notes, VMware has issued urgent patches for critical vulnerabilities in its enterprise-facing ESXi, Workstation, Fusion, and Cloud Foundation products. The vulnerabilities include use-after-free memory corruption issues in the XHCI USB controller that can be exploited to escape sandbox mitigations. Furthermore, an out-of-bounds write vulnerability and an information disclosure vulnerability have also been identified.
Of the four vulnerabilities, two carry a CVSS severity score of 9.3 out of 10, posing a significant risk to organizations. The exploitation of these vulnerabilities can allow a malicious actor with local admin privileges on a virtual machine to execute code as the virtual machine’s VMX process running on the host.
As a result of the increased risk, VMware is releasing fixes for some end-of-life products as well. It is essential for organizations using these VMware products to apply the urgent patches to mitigate the security risks posed by these critical vulnerabilities.