VMware fixes critical sandbox escape flaws in ESXi, Workstation, and Fusion

VMware fixes critical sandbox escape flaws in ESXi, Workstation, and Fusion

March 6, 2024 at 10:49AM

VMware released security updates addressing critical sandbox escape vulnerabilities in ESXi, Workstation, Fusion, and Cloud Foundation. The flaws, tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255, carry a severity rating and require local administrative privileges for exploitation. VMware recommends removing USB controllers from virtual machines as a mitigation strategy. Older ESXi versions have also received security fixes. VMware has not observed active exploitation but advises subscribing to proactive alerts through the VMSA mailing list.

Based on the meeting notes, the key takeaways are:

1. VMware has released security updates to address critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation products.

2. The vulnerabilities (CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255) have CVSS v3 scores ranging from 7.1 to 9.3 and are rated with critical severity.

3. The vulnerabilities include use-after free bugs, out-of-bounds write flaw, and information disclosure problem in USB controllers, impacting the ability of attackers to escape virtual machines and access host operating systems.

4. A practical workaround to mitigate some vulnerabilities is to remove USB controllers from virtual machines, which may impact certain device functionalities.

5. Security fixes have been made available for older ESXi versions (6.7U3u), 6.5 (6.5U3v), and VCF 3.x due to the severity of the vulnerabilities.

6. VMware has not observed any active exploitation of the vulnerabilities, but system admins are advised to subscribe to the VMSA mailing list for proactive alerts.

Additionally, it is important to note that VMware has provided a FAQ to accompany the security bulletin, emphasizing the significance of prompt patching and providing guidance on response planning and workaround/fix implementation for specific products and configurations.

Full Article