March 6, 2024 at 10:41AM
VMware released security updates to address critical sandbox escape vulnerabilities in ESXi, Workstation, Fusion, and Cloud Foundation products, potentially allowing unauthorized access to host systems and virtual machines on the same host. The advisory details four vulnerabilities, their impact, and provides a workaround for some issues. VMware also made security fixes available for older versions.
Based on the meeting notes, the key takeaways are:
– VMware released security updates to address critical sandbox escape vulnerabilities in several of its products, including ESXi, Workstation, Fusion, and Cloud Foundation.
– These vulnerabilities could potentially allow attackers to escape virtual machines and gain access to the host operating system, compromising their isolation and security.
– The vulnerabilities are identified as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255, with critical severity ratings and CVSS v3 scores ranging from 7.1 to 9.3.
– Specific details of the vulnerabilities include use-after-free bugs in USB controllers, an out-of-bounds write flaw in ESXi, and an information disclosure problem in the UHCI USB controller.
Furthermore, impacted version products and fixed versions have been listed, and specific mitigation steps have been provided, such as removing USB controllers from virtual machines to mitigate certain vulnerabilities.
It’s also important to note that VMware has made the security fixes available for older ESXi versions and has published a FAQ to assist with response planning and workaround/fix implementation.
Finally, the bulletin emphasizes the importance of prompt patching and encourages system admins to subscribe to the VMSA mailing list for proactive alerts regarding any changes in the exploitation status of the vulnerabilities.