Hypervisors are supposed to provide a tamper-proof layer of isolation between virtual machines and hardware. But hypervisor heavyweight VMware Broadcom revealed yesterday that its hypervisors aren’t as tamper-proof as it might like.
In a security advisory, the Broadcom division warned of four vulnerabilities.
The two nastiest – CVE-2024-22252 and 22253 – are rated 9.3/10 on VMware’s Workstation and Fusion desktop hypervisors and 8.4 on the ESXi server hypervisor.
The flaws earned these ratings because they mean that a malicious actor with local administrative privileges on a virtual machine can exploit this issue to execute code outside of the guest. On Workstation and Fusion, this code will run on the host PC or Mac. Under ESXi, it will run in the VMX process which encapsulates each guest VM.
In an FAQ, VMware called both vulnerabilities an emergency change, as defined by the IT Infrastructure Library.
Another vulnerability, CVE-2024-2225, is classified 7.1.
The workarounds for the flaws even apply to vSphere 6.x, a now unsupported version of VMware’s flagship server virtualization platform.
Virtual USB controllers are the cause of the issue for all three CVEs mentioned above. VMware’s workaround for this flaw is to remove them from virtual machines.
Yet VMware’s FAQ admits that this “might not be feasible at scale” because “some supported operating systems require a USB port for keyboard and mouse access via the Virtual Console.” Losing USB passthrough functionality can be another undesirable consequence.
The FAQ adds: “That said, most versions of Windows and Linux support the use of the PS/2 virtual mouse and keyboard,” and removing unnecessary peripherals such as USB controllers is recommended as part security enhancement tips published by VMware.
Worse, VMware also reported CVE-2024-22254 – an out-of-bounds write vulnerability that could see a malicious actor with privileges within the VMX process trigger an out-of-bounds write, leading to a sandbox exit.
Guest-host escapes are the worst virtualization incident. These seem important, but do not represent a complete takeover of the hypervisor that would allow an attacker to control fleets of virtual machines.
Interestingly, some of the flaws were discovered by researchers during the 2023 Tianfu Cup Pwn competition – China’s equivalent of the Pwn2Own infosec attack festival.
VMware thanked competition participants Jiang YuHao, Ying XingLei and Zhang ZiMing of Team Ant Lab – an Alibaba-affiliated company – and VictorV and Wei of Team CyberAgent. Jiaqing Huang and Hao Zheng from Legendsec’s TianGong team of Qi’anxin Group were also thanked, as they discovered some of the flaws independently. ®
News Source : www.theregister.com
Gn tech
