Critical VMware Bugs Open ESXi, Fusion & Workstation to Attackers

VMware has issued a critical security update to address issues in its ESXi, Fusion and Workstation products, including VMware Cloud Foundation versions. Exploitation could give attackers access to workloads inside organizations’ virtual environments.

The bugs have a range of 5.3 to 8.4 out of 10 on the CVSS vulnerability-severity scale, making them individually “important” or “moderate” issues. However, the virtualization giant noted that they can be chained together for worse outcomes: “Combining these issues may result in higher severity, hence the severity of this [advisory] is at severity level critical.”

VMware noted that patching VMware ESXi, Fusion and Workstation is the fastest method to resolve the issues, but organizations could also remove USB controllers from their VMs as a workaround. However, “that may be infeasible at scale…and does not eliminate the potential threat like patching does,” according to the advisory, issued Tuesday.

The issues are as follows:

• CVE-2021-22040: Use-after-free vulnerability in XHCI USB controller (CVSS 8.4)
• CVE-2021-22041: Double-fetch vulnerability in UHCI USB controller (CVSS 8.4)
• CVE-2021-22042: ESXi ‘settingsd’ unauthorized access vulnerability (CVSS 8.2)
• CVE-2021-22043: ‘ESXi settingsd’ TOCTOU vulnerability (CVSS 8.2)
• CVE-2021-22050: ESXi slow HTTP POST denial of service vulnerability (CVSS 5.3)

USB Controller Bugs

The first two important-rated issues (CVE-2021-22040, CVE-2021-22041) are found in the USB controllers for VMware ESXi, Fusion and Workstation. If exploited, a malicious actor with local administrative privileges on a virtual machine (VM) would be able to execute code as the VM’s Virtual Machine Extension (VMX) process running on the host.

The VMX process runs in the VMkernel and is responsible for handling input/output (I/O) to devices that are not critical to performance, according to VMware’s documentation.

‘settingsd’ Security Flaws

The next two issues, also rated important (CVE-2021-22042, CVE-2021-22043), affect the ‘settingsd’ command, which is responsible for settings and host logs, among other things.

The first involves the VMX having unauthorized access to settingsd authorization tickets. That means that a malicious actor with privileges within the VMX process could access the settingsd service running as a high-privileged user.

The second, a time-of-check time-of-use vulnerability, can be chained with the first. It exists in the way temporary files are handled, and it would allow an attacker with access to settingsd to escalate privileges by writing arbitrary files, according to VMware.

Moderate Flaw in ESXi

The final bug (CVE-2021-22050) is the lone “moderate” vulnerability in the group. It only affects the ESXi platform and could allow adversaries to create a denial-of-service (DoS) condition on the hosts by overwhelming the “rhttpproxy” service with multiple requests.

A successful exploit requires that the malicious actors already have network access to ESXi, according to the vendor.

This is the second major patch release this year affecting this particular trio of products. Full details of which patches should be applied to remediate the dangers are available in VMware’s advisory.

The company said that so far, no in-the-wild attacks have been seen targeting the bugs, though that is likely to quickly change if past is prelude, so admins should patch quickly.

Join Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion, “The Secret to Keeping Secrets,” sponsored by Keeper Security, will focus on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.