Sunday, July 21, 2024
EHA

VMware Issues Patches for Shell Injection and Privilege Vulnerability

VMware had multiple issues that were privately reported. VMware swiftly acted on the reported issues and released patches for all the critical vulnerabilities. The vulnerability details are as follows

Advisory ID:
VMSA-2022-0004
CVSSv3 Range:
5.3-8.4
Issue Date:
2022-02-15
Updated On:
2022-02-15 (Initial Advisory)

CVE(s):

CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050

Synopsis:

VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities (CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050)

Products that were Impacted

  • VMware ESXi
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Cloud Foundation (Cloud Foundation)

3a. CVE-2021-22040 (Use-after-free Vulnerability in XHCI USB Controller)

Explanation

With a local administrative privilege on a virtual machine, a threat actor can use this issue to execute code as the virtual machine’s VMX process running on the host.

It seems like the VMware ESXi, Workstation and Fusions were vulnerable to this issue. This issue has a CVSSv3 base score of 8.4

Resolution and Acknowledgement

To resolve this critical vulnerability a patch has been released by VMware. VMware also thanked Wei of Kunlun Lab for reporting this issue at the 2021 Tianfu Cup Pwn contest.

3b. CVE-2021-22041 (Double-Fetch Vulnerability in UHCI USB controller)

Explanation

Just like CVE-2021-22040, a malicious actor with local admin privilege who uses this issue can execute code as a virtual machine’s VMX process running on the host. However, for this issue to be exploited an isochronous USB endpoint must be available to the virtual machine.

VMware ESXi, Workstation, and Fusion were the products affected by this vulnerability making the CVSSv3 score as 8.4

Resolution and Acknowledgement

VMware has released patches to resolve this vulnerability. This issue was reported by VictorV of Kunlun Lab at the 2021 Tianfu Cup Pwn. The Response Matrix and the impacted product suites for 3a and 3b have been released by VMware.

3c. CVE-2021-22042 (ESXi settingsd unauthorized access Vulnerability)

Explanation

The VMware ESXi was found to be vulnerable to unauthorized access since the VMX has access to settings authorization tickets. On further evaluation, VMware gave a CVSSv3 score of 8.2 for this issue. The attacker must be with privileges within the VMX process in order to access the settingsd service as a high privileged user.

Resolution and Acknowledgement

VMware has released patches for this vulnerability. This was also reported by Wei of Kunlun Lab at the 2021 Tianfu Cup Pwn contest.

3d. CVE-2021-22043 (ESXi settingsd TOCTOU Vulnerability)

Explanation

This issue was due to the way of handling temporary files by the TOCTOU (Time-of-Check Time-Of-Use) in VMware ESXi. 

An attacker with access to settingsd will be able to exploit this issue resulting in privilege escalation by writing arbitrary files.

Resolution and Acknowledgement

Patches are released to fix this issue. 

Wei from Kunlun Lab found this issue reported at the 2021 Tianfu Cup Pwn contest conducted by VMware.

The Response matrix for 3c and 3d was released by VMware.

3e. CVE-2021-22050 (ESXi slow HTTP POST Denial of Service Vulnerability)

Explanation

The rhttpproxy used by the ESXi has this slow HTTP POST denial of service vulnerability. VMware evaluated this issue and gave a CVSSv3 score of 5.3

If an attacker gains access to the network of ESXi, he can exploit this issue to create a denial of service attack by overwhelming the rhttpproxy service with too many requests.

Resolution and Acknowledgement

VMware has released a patch for this vulnerability.

This issue was reported to VMware by George Noseevich and Sergey Gerasimov of SolidLab LLC.
Response Matrix and Impacted Product Suites information is released by VMware.

Website

Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles