Not yet exploited, these flaws could allow malicious code to be placed on host systems from inside a virtual machine. Credit: VAKS-Stock Agency / Shutterstock VMware has released fixes for several flaws that together could allow attackers to execute malicious code on the host system from inside a virtual machine, bypassing the critical isolation layer. Some of the flaws are in the virtualized USB controllers, so they impact most VMware hypervisors: VMware ESXi, VMware Workstation, VMware Fusion, and VMware Cloud Foundation. Attacker groups have exploited vulnerabilities in VM products before, including to deploy ransomware. In January it was revealed that a Chinese cyberespionage group had been exploiting a critical remote code execution vulnerability in VMware vCenter Server for 18 months before it was patched in October last year. Flaws in VMware USB controllers The new security patches released this week address two use-after-free memory vulnerabilities in the UHCI USB and XHCI USB controllers — CVE-2024-22252 and CVE-2024-22253. These are the virtualized controllers that enable the use of USB devices inside VMware virtual machines. The flaws are both rated with 9.3 out of 10 on the CVSS severity scale. “A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” VMware said in its advisory. “On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.” Despite the VMX being sandboxed on ESXi, this doesn’t completely limit the risk of remote code execution because of a third vulnerability that could allow attackers to escape the VMX sandbox. This is an out-of-bounds write vulnerability tracked as CVE-2024-22254 and rated with 7.9 severity. A fourth information disclosure vulnerability (CVE-2024-22255) has also been patched in the UHCI USB controller. This flaw can be used to leak memory from the VMX process and is rated 7.1. How to mitigate the VMware flaws VMware is not aware of these flaws being exploited in the wild, but given attackers’ proven interest in targeting virtual machines and VMware products in the past, it is possible that exploits for these flaws will become available soon. Users are encouraged to deploy the available patches as soon as possible, but if they can’t for some reason, one workaround is to remove the USB controller from virtual machines in the meantime. However, this will impact the virtual machine console functionality as some operating systems require USB for keyboard and mouse access through the virtual console. USB passthrough functionality, where USB devices connected to the host are shared with the virtual machine, will also be lost.“That said, most Windows and Linux versions support use of the virtual PS/2 mouse and keyboard, and removing unnecessary devices such as USB controllers is recommended as part of the security hardening guidance VMware publishes,” the company said in a FAQ document associated with the advisory.In addition to patches for the supported versions of the impacted products, VMware also provided a patch for older versions that are only available to customers with extended support contracts: ESXi 6.7 (6.7U3u), 6.5 (6.5U3v) and VCF 3.x. Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe