VMware Vulnerability Alert (VMSA-2024-0006)–What You Should Know & Action You Should Take

Overview

On March 5, 2024, Broadcom released a security advisory, VMSA-2024-0006, addressing vulnerabilities found in VMware ESXi, VMware Workstation Pro & Player, and VMware Fusion. These vulnerabilities CVSS ratings range from 7.1 to 9.3 and could be exploited by an attacker with privileged access to the guest OS inside a virtual machine to gain access to the hypervisor. Below is a quick recap of each CVE:

• CVE-2024-22252: A use-after-free vulnerability in the XHCI USB controller, with a severity range of 9.3 for Workstation/Fusion and a base score of 8.4 for ESXi. Local admins on a virtual machine can execute code on the host or VMs.
  
• CVE-2024-22253: Another use-after-free vulnerability, this time in the UHCI USB controller, with similar severity ratings as CVE-2024-22252. The exploit allows local admins on a virtual machine to execute code on the host or VMs.
  
• CVE-2024-22254: An out-of-bounds write vulnerability with a maximum severity base score of 7.9. It enables sandbox escape through VMX process privileges.
  
• CVE-2024-22255: An information disclosure vulnerability in the UHCI USB controller with a base score of 7.1, permitting memory leakage by an attacker with administrative VM access.

Impacted Products

• VMware ESXi
• VMware Workstation Pro / Player (Workstation)
• VMware Fusion Pro / Fusion (Fusion)
• VMware Cloud Foundation (Cloud Foundation)

What You Should Do

Patching these products is the quickest solution, although in some cases, removing USB controllers from virtual machines may serve as a workaround, though it could pose challenges at scale and affect virtual machine console access. For detailed instructions on remediation steps and workarounds refer to VMSA-2024-0006 and it’s complementary Questions & Answers article.

What ISG is Doing

For impacted client environments managed by ISG, please note the following:

• ISG Enterprise Cloud customers – There is no action needed on your part as our team has already started patching the impacted products following ITIL best practices.

• ISG Managed Server/Storage Customers – We will be in touch with you to schedule the best time to apply the necessary patches and/or workaround for your specific situation.

For all other clients, we encourage you to take action on this as soon as possible. According to the VMware Q&A, this situation qualifies as an “emergency change” in ITIL terms. Refer to VMSA-2024-0006 for specific remediation/workaround instructions.

If you need assistance, ISG’s Professional Services team is available to help you out in any way possible. Contact Us today or reach out to your ISG representative.

Resources

• VMWare: VMware Security Advisory – VMSA-2024-0006.1
• VMWare: VMSA: Questions & Answers
• The Hacker News: VMware Issues Security Patches for ESXi, Workstation, and Fusion Flaws