VMware has revealed and repaired the flaws in its hypervisor discovered at China’s Tianfu Cup white hat hacking competition.
CVE-2020-4004, rated critical due to its 9.3 on the CVSS scale, is described as a “Use-after-free vulnerability in XHCI USB controller”. It allows a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host. The VMX process runs in the VMkernel and is responsible for handling I/O to devices, so there’s the potential for data exfiltration.
The bug needs patching in ESXi from version 6.5, VMware’s Fusion and Workstation desktop hypervisors from versions 11 and 15 respectively, plus VMware Cloud Foundation from version 3.
CVE-2020-4005 is a VMX elevation-of-privilege vulnerability and rated as important with an 8.8 CVSS score. Getting this one to work requires exploitation of the other bug described above. Users of ESXi from version 6.5 and Cloud Foundation from version 3 need to get busy on this one.
Patches are available for the two flaws, with download details available at VMware’s security advisory page.
Discovery of both flaws was attributed to Xiao Wei and Tianwen Tang (VictorV) of Chinese security vendor Qihoo’s 360 Vulcan Team, a group that has picked up many bug-hunting plaudits. The white hats also took home a $180,000 reward for their troubles - cheap security research for $10.8bn VMware.
The flaws were revealed on November 8th – just 11 days before VMware’s disclosure and delivery of fixes. Which is impressive, both in terms of response time and for demonstrating that white hat hacking events can have rapid real-world impact. ®