VMware patches released for vulnerabilities found during China's Tianfu Cup

VMware released patches for ESXi, Workstation, Fusion, and Cloud Foundation after participants in the Chinese security event discovered the issues.
Written by Jonathan Greig, Contributor

VMware released patches for several vulnerabilities affecting VMware ESXi, Workstation, Fusion, and Cloud Foundation on Tuesday after security researchers participating in China's Tianfu Cup discovered the issues.

The company published a security advisory, VMSA-2022-0004, and told ZDNet that they encourage customers to deploy their products "in a security hardened configuration" while also applying all updates, security patches, and mitigations. The advisory covers CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, and CVE-2021-22050. 

"VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.4. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host," the company explained. It added that VMware ESXi, Workstation, and Fusion also contain a double-fetch vulnerability in the UHCI USB controller.

"These issues were discovered as part of the Tianfu Cup, a Chinese security event that VMware participates in. These vulnerabilities were reported to the Chinese government by the researchers that discovered them, in accordance with their laws," VMware said in another FAQ on the issues. 

VMware also said ESXi contains an unauthorized access vulnerability due to VMX having access to setting authorization tickets. It gave the issue a maximum CVSSv3 base score of 8.2, noting that a hacker with privileges within the VMX process may only be able to access settings service running as a high-privileged user. 

VMware ESXi also has a TOCTOU (Time-of-check Time-of-use) vulnerability that exists in the way temporary files are handled. That issue also has a maximum CVSSv3 base score of 8.2 because it allows malicious actors with access to settings to escalate their privileges by writing arbitrary files. 

"ESXi contains a slow HTTP POST denial-of-service vulnerability in rhttpproxy. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. A malicious actor with network access to ESXi may exploit this issue to create a denial-of-service condition by overwhelming rhttpproxy service with multiple requests," VMware added. 

In the security advisory, VMware thanked Wei and VictorV of Kunlun Lab -- working with the 2021 Tianfu Cup Pwn Contest -- for reporting the issues. George Noseevich and Sergey Gerasimov of SolidLab were also thanked for their help with the issues. 

While VMware urged users to apply all patches, they also included workarounds in their advisories, telling customers that removing the USB controllers from virtual machines may also help deal with the issue. But the advisory says that may be infeasible at scale and "does not eliminate the potential threat like patching does."

"The ramifications of this vulnerability are serious, especially if attackers have access to workloads inside your environments. Organizations that practice change management using the ITIL definitions of change types would consider this an 'emergency change,'" VMware said. 

VMSA-2022-0004 is widespread in terms of versions affected and operating systems it can run on, according to nVisium director of infrastructure Shawn Smith and Vectra vice president Aaron Turner. 

Turner said the use of VMWare technologies within most enterprises is widespread, well beyond what most security teams track as part of their vulnerability management programs.

But Blumira CTO Matthew Warner said the vulnerabilities all require local access and, in some cases, privileged local access. In theory, CVE-2021-22041 could be executed remotely if an attacker exploited the guest, got onto the guest, and mounted a USB to it, Warner noted. 

"Ideally, remote execution of CVE-2021-22050 (DoS) should be impossible because ESXi should not be exposed to the internet. As usual, patch as soon as you can and ensure that your VMWare environments are not facing the internet. Treat local VMWare virtualization like Workstation and Fusion with care by ensuring you are collecting data from endpoints utilizing this software," he said.  

Turner echoed those remarks but said it could be a significant vulnerability exploited in an East-West or lateral movement campaign to gain access to virtualized workloads.

Editorial standards