VMware has patched a series of critical set of vulnerabilities uncovered by Chinese security researchers four months ago and showcased at the Tianfu Cup hacking competition in China. VMware has urged customers of its ESXi, Workstation, Fusion, and Cloud Foundation products to update or mitigate "immediately".
"The ramifications of this vulnerability are serious, especially if attackers have access to workloads inside your environments" the company added, saying the update could be considered an considered emergency change under ITIL definitions of change types. Those who may struggle to patch promptly can consider workarounds that involve removing the USB controllers from virtual machines but this "may not be feasible at scale."
The advisory – VMSA-2022-0004 – covers CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, and CVE-2021-22050. Although the majority of the bugs are rated CVSS 8.2-8.4 VMware describes them as critical owing to the overall affect once chained. Only on-prem or co-located VMware instances are affected – VMware products running on cloud services are not affected/have been resolved by cloud providers.
They require local access to exploit. The company said it has not seen evidence of active exploitation.
Most of the individual VMware vulnerabilities are rated as important but can be chained to gain sweeping powers, with the main risk described as being “a malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host”.
The patches come as security researchers say they are seeing an rapid increase in exploitation of software vulnerabilities, over for example malware-laden phishing. Kroll today warned that it had seen a 356% growth in the number of attacks where the infection vector was CVE/zero day vulnerabilities in the past quarter.
Follow The Stack on LinkedIn
VMware also noted the flaws came to light thanks to participants in the Tianfu Cup hacking competition in China. Held in October 2021, the VMware exploits were part of the winning team Kunlun Lab’s haul of success, which also included attacks against Chrome, Adobe Reader, iPhone 13 Pro, Safari on macOS, and Windows 10. Under Chinese law, all security flaws uncovered must be reported to the Chinese government.
Earlier this month the UK’s NCSC flagged exploitation of unpatched software vulnerabilities as one of the top three ransomware infection vectors, in a joint advisory with the US’s CISA and Australia’s JCSC.
Yesterday also saw another VMware vulnerability revealed, in advisory VMSA-2022-0005 covering CVE-2022-22945. This details an important CLI shell injection vulnerability affecting NSX Data Center for vSphere (NSX-V). An attacker with SSH access to it gets root under the CVSS 8.8 vulnerability. A patch for this is also available.