Partially Unpatched VMware Bug Opens Door to Hypervisor Takeover

A security vulnerability in VMware’s Cloud Foundation, ESXi, Fusion and Workstation platforms could pave the way for hypervisor takeover in virtual environments – and a patch is still pending for some users.

The issue affects a wide swath of the virtualization specialist’s portfolio and affects Windows, Linux and Mac users. Details about the platforms:

• Cloud Foundation is VMware’s multicloud management platform, providing software-defined services for compute, storage, network, security, Kubernetes and so on.
• ESXi is a bare-metal hypervisor that installs on a server and partitions it into multiple virtual machines (VMs).
• Fusion is a software hypervisor that allows Intel-based Macs to run VMs with guest operating systems – such as Microsoft Windows, Linux, NetWare, Solaris or macOS.
• Workstation enables users to set up VMs on a single physical machine.

The bug (CVE-2021-22045) is a high-severity heap-overflow vulnerability carrying a CVSS rating of 7.7 out of 10. Heap overflows are memory issues that can result in data corruption or unexpected behavior by any process that accesses the affected memory area – in some cases resulting in remote code execution (RCE).

In this case, the problem specifically exists in the CD-ROM device emulation function of the affected products.

“A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues, to execute code on the hypervisor from a virtual machine,” the vendor noted in its advisory. “Successful exploitation requires a CD image to be attached to the virtual machine.”

Reno Robert, senior vulnerability researcher for Trend Micro’s Zero Day Initiative, told Threatpost that the issue results from “the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer.”

Complex but Dangerous Exploitation

Robert added that even though the bug allows an untrusted guest OS user to execute code on the hypervisor, “an attacker would not have control over the data written, so exploitation this would be difficult.”

Hence the need to be used “in conjunction with other issues.” Reno explained that an example of other issues “could be an information-disclosure vulnerability that provide details on the memory layout. This would making exploitation more feasible.”

If successful though, attackers could compromise the host operating system of the hypervisor. Taking over a hypervisor, which is the highly privileged software that creates and runs VMs and governs how resources are shared among them (such as memory and processing), can give cybercriminals a clear path to accessing any of the data or applications stored in the VMs it controls, and executing code or installing files on those VMs, depending on the security controls that are implemented.

Researcher “Jaanus K\xc3\xa4\xc3\xa4p” with Clarified Security and Trend Micro’s ZDI were credited with discovering the bug.

Patch VMware CVE-2021-22045 Now

Affected product versions are: ESXi 6.5, 6.7 and 7 (version 7 remains unpatched for now); Fusion 12.x; Workstation 16.x; and all versions of VMware Cloud Foundation. Patch information can be found in the vendor’s advisory.

Users should patch as soon as possible, given that VMware is a favorite target for cybercriminals. For instance, just days after a critical CVE-2021-22005 RCE vulnerability in VMware vCenter was disclosed, a full working exploit was public and being used in the wild.

ESXi users are especially at risk: While the solution makes it easy for multiple VMs to share the same hard-drive storage, it also sets systems up to be one-stop shopping spots for attacks, researchers say, since attackers can target the centralized virtual hard drives used to store data from across VMs.

“ESXi servers represent an attractive target for ransomware threat actors because they can attack multiple VMs at once, where each of the VMs could be running business-critical applications or services,” Andrew Brandt, principal researcher at Sophos, recently explained. “Attacks on hypervisors can be both fast and highly disruptive.”

He was discussing a spate of attacks in October that used a Python code that took less than three hours to complete a ransomware attack on ESXi servers, from initial breach to encryption. That incident joined other ransomware efforts targeting the hypervisor: REvil ransomware threat actors last year came up with a Linux variant that targeted VMware ESXi; and in September HelloKitty joined the growing list going after the juicy target. DarkSide also targeted ESXi servers last year.

Workaround for ESXi v.7 Users

Of course, all of that is bad news for ESXi v.7 users, who don’t yet have a patch for this latest bug. VMware did, however, issue a workaround that can be used for now, involving disabling CD-ROM/DVD functionality.

The steps are:

1. Log in to a vCenter Server system using the vSphere Web Client.
2. Right-click the virtual machine and click Edit Settings.
3. Select the CD/DVD drive and uncheck “Connected” and “Connect at power on” and remove any attached ISOs.

To enumerate the VMs that have a CD-ROM/DVD device attached, users can run the following command, according to the vendor:

Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Select Parent

Then the following command will remove and disconnect the attached CD-ROM/DVD device:

Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Set-CDDrive -NoMedia -confirm:$false

Password_ Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. **Register & stream this FREE session today** – sponsored by Specops Software._