Thursday, December 5, 2024
HomeCVE/vulnerabilityVMware Issues Patches for Shell Injection and Privilege Vulnerability

VMware Issues Patches for Shell Injection and Privilege Vulnerability

Published on

SIEM as a Service

VMware had multiple issues that were privately reported. VMware swiftly acted on the reported issues and released patches for all the critical vulnerabilities. The vulnerability details are as follows

Advisory ID:
VMSA-2022-0004
CVSSv3 Range:
5.3-8.4
Issue Date:
2022-02-15
Updated On:
2022-02-15 (Initial Advisory)

CVE(s):

- Advertisement - SIEM as a Service

CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050

Synopsis:

VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities (CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050)

Products that were Impacted

  • VMware ESXi
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Cloud Foundation (Cloud Foundation)

3a. CVE-2021-22040 (Use-after-free Vulnerability in XHCI USB Controller)

Explanation

With a local administrative privilege on a virtual machine, a threat actor can use this issue to execute code as the virtual machine’s VMX process running on the host.

It seems like the VMware ESXi, Workstation and Fusions were vulnerable to this issue. This issue has a CVSSv3 base score of 8.4

Resolution and Acknowledgement

To resolve this critical vulnerability a patch has been released by VMware. VMware also thanked Wei of Kunlun Lab for reporting this issue at the 2021 Tianfu Cup Pwn contest.

3b. CVE-2021-22041 (Double-Fetch Vulnerability in UHCI USB controller)

Explanation

Just like CVE-2021-22040, a malicious actor with local admin privilege who uses this issue can execute code as a virtual machine’s VMX process running on the host. However, for this issue to be exploited an isochronous USB endpoint must be available to the virtual machine.

VMware ESXi, Workstation, and Fusion were the products affected by this vulnerability making the CVSSv3 score as 8.4

Resolution and Acknowledgement

VMware has released patches to resolve this vulnerability. This issue was reported by VictorV of Kunlun Lab at the 2021 Tianfu Cup Pwn. The Response Matrix and the impacted product suites for 3a and 3b have been released by VMware.

3c. CVE-2021-22042 (ESXi settingsd unauthorized access Vulnerability)

Explanation

The VMware ESXi was found to be vulnerable to unauthorized access since the VMX has access to settings authorization tickets. On further evaluation, VMware gave a CVSSv3 score of 8.2 for this issue. The attacker must be with privileges within the VMX process in order to access the settingsd service as a high privileged user.

Resolution and Acknowledgement

VMware has released patches for this vulnerability. This was also reported by Wei of Kunlun Lab at the 2021 Tianfu Cup Pwn contest.

3d. CVE-2021-22043 (ESXi settingsd TOCTOU Vulnerability)

Explanation

This issue was due to the way of handling temporary files by the TOCTOU (Time-of-Check Time-Of-Use) in VMware ESXi. 

An attacker with access to settingsd will be able to exploit this issue resulting in privilege escalation by writing arbitrary files.

Resolution and Acknowledgement

Patches are released to fix this issue. 

Wei from Kunlun Lab found this issue reported at the 2021 Tianfu Cup Pwn contest conducted by VMware.

The Response matrix for 3c and 3d was released by VMware.

3e. CVE-2021-22050 (ESXi slow HTTP POST Denial of Service Vulnerability)

Explanation

The rhttpproxy used by the ESXi has this slow HTTP POST denial of service vulnerability. VMware evaluated this issue and gave a CVSSv3 score of 5.3

If an attacker gains access to the network of ESXi, he can exploit this issue to create a denial of service attack by overwhelming the rhttpproxy service with too many requests.

Resolution and Acknowledgement

VMware has released a patch for this vulnerability.

This issue was reported to VMware by George Noseevich and Sergey Gerasimov of SolidLab LLC.
Response Matrix and Impacted Product Suites information is released by VMware.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...