On March 5, 2024, Broadcom released a security advisory, VMSA-2024-0006, addressing vulnerabilities found in VMware ESXi, VMware Workstation Pro & Player, and VMware Fusion. These vulnerabilities CVSS ratings range from 7.1 to 9.3 and could be exploited by an attacker with privileged access to the guest OS inside a virtual machine to gain access to the hypervisor. Below is a quick recap of each CVE:

  • CVE-2024-22252: A use-after-free vulnerability in the XHCI USB controller, with a severity range of 9.3 for Workstation/Fusion and a base score of 8.4 for ESXi. Local admins on a virtual machine can execute code on the host or VMs.
  • CVE-2024-22253: Another use-after-free vulnerability, this time in the UHCI USB controller, with similar severity ratings as CVE-2024-22252. The exploit allows local admins on a virtual machine to execute code on the host or VMs.
  • CVE-2024-22254: An out-of-bounds write vulnerability with a maximum severity base score of 7.9. It enables sandbox escape through VMX process privileges.
  • CVE-2024-22255: An information disclosure vulnerability in the UHCI USB controller with a base score of 7.1, permitting memory leakage by an attacker with administrative VM access.

Impacted Products

  • VMware ESXi
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Cloud Foundation (Cloud Foundation)

What You Should Do

Patching these products is the quickest solution, although in some cases, removing USB controllers from virtual machines may serve as a workaround, though it could pose challenges at scale and affect virtual machine console access. For detailed instructions on remediation steps and workarounds refer to VMSA-2024-0006 and it’s complementary Questions & Answers article.

What ISG is Doing

For impacted client environments managed by ISG, please note the following:

  • ISG Enterprise Cloud customers – There is no action needed on your part as our team has already started patching the impacted products following ITIL best practices.
  • ISG Managed Server/Storage Customers – We will be in touch with you to schedule the best time to apply the necessary patches and/or workaround for your specific situation.

For all other clients, we encourage you to take action on this as soon as possible. According to the VMware Q&A, this situation qualifies as an “emergency change” in ITIL terms. Refer to VMSA-2024-0006 for specific remediation/workaround instructions.

If you need assistance, ISG’s Professional Services team is available to help you out in any way possible. Contact Us today or reach out to your ISG representative.