Virtual machine escape vulnerability on VMware Workstation, Fusion and ESXi

  • 17 January 2022
  • 4 comments
  • 154 views

Userlevel 7
Badge +11

Opened The word from @Gostev this morning and he mentioned a new VMware vulnerability. With a score of 7.7 it is definitely up there. If you are on ESXi 7.X there is no patch yet but a workaround here: https://kb.vmware.com/s/article/87249 which is basically disconnect all virtual CD-ROM drives and they provide a PowerCLI command to do it easily.

If you didn’t sign up for the newsletter, I strongly recommend it - always great content for a Monday morning. You can get it by registering af https://forums.veeam.com too.

Description

The CD-ROM device emulation in VMware Workstation, Fusion and ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.7.

Known Attack Vectors

A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine.


4 comments

Userlevel 7
Badge +13

It looks like 6.5 and 6.7 have been fixed some time ago, so only 7.X needs more attentation at this point.

Does anyone know how the attack could take place? The CVE says no privelege required, but does that mean no special priveleges (Administrator) or that it can be used unauthenticated?

Common Vulnerability Scoring System Version 3.1 Calculator (first.org)

Userlevel 7
Badge +13

It looks like 6.5 and 6.7 have been fixed some time ago, so only 7.X needs more attentation at this point.

Does anyone know how the attack could take place? The CVE says no privelege required, but does that mean no special priveleges (Administrator) or that it can be used unauthenticated?

Common Vulnerability Scoring System Version 3.1 Calculator (first.org)

Maybe there is no patch for this yet due to the other problems in vSphere 7 :thinking:

Userlevel 7
Badge +20

Saw this in Gostev's email. Informed our VMware team about it to ensure workarounds.

Userlevel 7
Badge +13

It looks like 6.5 and 6.7 have been fixed some time ago, so only 7.X needs more attentation at this point.

Does anyone know how the attack could take place? The CVE says no privelege required, but does that mean no special priveleges (Administrator) or that it can be used unauthenticated?

Common Vulnerability Scoring System Version 3.1 Calculator (first.org)

Maybe there is no patch for this yet due to the other problems in vSphere 7 :thinking:

I'm sure we'll only see a new patch for vSphere 7 when everyone at VMware is confident that it's stable; even the janitor will need to approve the change request...🤣

Comment