VMware patches critical guest-to-host vulnerabilities
Time to fix code like it's 2020
In an advisory this week, VMware alerted users to guest-to-host vulnerabilities in the XHCI and UHCI USB controllers in its ESXi hypervisor, plus an important flaw fixed in NSX Data Center for vSphere.
In all, five vulnerabilities were discovered in VMware's ESXi, Workstation, Cloud Foundation (ESXi), and Fusion during the Tianfu Cup 2021, a Chinese vulnerability competition, by the country's Kunlun Lab. Bugs that Kunlun discovered were disclosed privately to VMware – though last year China passed a new law ordering security researchers to reveal findings to the country's Ministry of Public Security at least two days before anyone else.
The vendor said it hadn't seen any evidence the competition's findings had been exploited in the wild. Patches have been issued, now it's up to admins to schedule them. The vulnerabilities range from use-after-free() and double-fetch flaws that can be exploited to execute code on the host, to an old-fashioned denial of service (DoS). The full list for ESXi, Workstation, Cloud Foundation, and Fusion is:
- CVE-2021-22040, Use-after-free() vulnerability in XHCI USB controller
- CVE-2021-22041, Double-fetch vulnerability in UHCI USB controller
- CVE-2021-22042, ESXi settingsd unauthorized access vulnerability
- CVE-2021-22043, ESXi settingsd TOCTOU vulnerability
- CVE-2021-22050, ESXi slow HTTP POST denial of service vulnerability (found by Russia's SolidLab)
"The individual vulnerabilities documented on this VMSA have severity Important/Moderate but combining these issues may result in higher severity, hence the severity of this VMSA is at severity level Critical," said VMware, using its internal term for a security advisory note.
The XHCI and UHCI USB controller bugs can be exploited by a malicious person with administrative privileges in a virtual machine to execute code as the VM's VMX process running on the host. If readers have a sense of deja vu about this, that's because an almost identically described vuln was reported in 2020 and tracked as CVE-2020-4004.
VMware noted: "In short, patching VMware ESXi, Workstation, and Fusion are the fastest methods to resolve these issues. There is also a workaround: removing the USB controllers from virtual machines, though that may be infeasible at scale and does not eliminate the potential threat like patching does."
Thus, if you have virtual machines with these USB controllers already removed, you can breathe a little sigh of relief.
Meanwhile, the settingsd flaws can be abused to write to arbitrary files or access the service as a higher-privileged user. The NSX flaw can be exploited by a user with SSH access to an NSX-Edge appliance to execute commands as root. This is present in Cloud Foundation (NSX-V), too. ®