VMware Tools for Windows update addresses an XML External Entity vulnerability - CVE-2022-22977


Userlevel 7
Badge +5

VMware Tools is a set of services and modules that enable several features in VMware products for better management of guests operating systems and seamless user interactions with them. Without VMware Tools installed in your guest operating system, the guest OS will lose some performance functionalities.

Impacted Product: 

VMware Tools for Windows

Vmware has released some updates to remediate this vulnerability. The VMware tool can be directly downloaded from the VMware Customer Connect page. Do ensure to select your desired version. It can also be downloaded directly from the VMware Workstation etc.

Issue description

VMware Tools for Windows contains an XML External Entity (XXE) vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.8.

How can this vulnerability be exploited?

A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware Tools is installed, may exploit this issue leading to a denial-of-service condition or unintended information disclosure.

Resolution / Response Matrix

There is currently no workaround for this vulnerability reported. But to have it remediated, you will need to apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation

VMware Tools for Windows

12.0.0, 11.x.y and 10.x.y

Windows

CVE-2022-22977

5.8

Moderate

12.0.5

None

None


6 comments

Userlevel 7
Badge +4

I don't know who is worse whether Vmware or Microsoft😅

Userlevel 7
Badge +6

Just to add more info, fixed version of tools are build 19716617

Userlevel 7
Badge +5

I don't know who is worse whether Vmware or Microsoft😅

They are both in the same WhatsApp group 😁… Above all, these guys performs bug bounty as attackers are doing everything to break IT systems and in turn we see most of these security updates to mitigate these weaknesses! 

Userlevel 7
Badge +6

Oh this is a good one - @Iams3le thanks for sharing! I do my VMware Tools updates “rogue” in that I install them via the guest OS not via the hypervisor commands; need to get a newest one.

Userlevel 7
Badge +8

Time to get patching again.  I keep them updated when new releases come out so thanks for sharing this one.

Userlevel 7
Badge +5

Oh this is a good one - @Iams3le thanks for sharing! I do my VMware Tools updates “rogue” in that I install them via the guest OS not via the hypervisor commands; need to get a newest one.

You are welcome!

Comment