Thursday, March 28, 2024

VMware Issues Patches for Shell Injection and Privilege Vulnerability

VMware had multiple issues that were privately reported. VMware swiftly acted on the reported issues and released patches for all the critical vulnerabilities. The vulnerability details are as follows

Advisory ID:
VMSA-2022-0004
CVSSv3 Range:
5.3-8.4
Issue Date:
2022-02-15
Updated On:
2022-02-15 (Initial Advisory)

CVE(s):

CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050

Synopsis:

VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities (CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050)

Products that were Impacted

  • VMware ESXi
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Cloud Foundation (Cloud Foundation)

3a. CVE-2021-22040 (Use-after-free Vulnerability in XHCI USB Controller)

Explanation

With a local administrative privilege on a virtual machine, a threat actor can use this issue to execute code as the virtual machine’s VMX process running on the host.

It seems like the VMware ESXi, Workstation and Fusions were vulnerable to this issue. This issue has a CVSSv3 base score of 8.4

Resolution and Acknowledgement

To resolve this critical vulnerability a patch has been released by VMware. VMware also thanked Wei of Kunlun Lab for reporting this issue at the 2021 Tianfu Cup Pwn contest.

3b. CVE-2021-22041 (Double-Fetch Vulnerability in UHCI USB controller)

Explanation

Just like CVE-2021-22040, a malicious actor with local admin privilege who uses this issue can execute code as a virtual machine’s VMX process running on the host. However, for this issue to be exploited an isochronous USB endpoint must be available to the virtual machine.

VMware ESXi, Workstation, and Fusion were the products affected by this vulnerability making the CVSSv3 score as 8.4

Resolution and Acknowledgement

VMware has released patches to resolve this vulnerability. This issue was reported by VictorV of Kunlun Lab at the 2021 Tianfu Cup Pwn. The Response Matrix and the impacted product suites for 3a and 3b have been released by VMware.

3c. CVE-2021-22042 (ESXi settingsd unauthorized access Vulnerability)

Explanation

The VMware ESXi was found to be vulnerable to unauthorized access since the VMX has access to settings authorization tickets. On further evaluation, VMware gave a CVSSv3 score of 8.2 for this issue. The attacker must be with privileges within the VMX process in order to access the settingsd service as a high privileged user.

Resolution and Acknowledgement

VMware has released patches for this vulnerability. This was also reported by Wei of Kunlun Lab at the 2021 Tianfu Cup Pwn contest.

3d. CVE-2021-22043 (ESXi settingsd TOCTOU Vulnerability)

Explanation

This issue was due to the way of handling temporary files by the TOCTOU (Time-of-Check Time-Of-Use) in VMware ESXi. 

An attacker with access to settingsd will be able to exploit this issue resulting in privilege escalation by writing arbitrary files.

Resolution and Acknowledgement

Patches are released to fix this issue. 

Wei from Kunlun Lab found this issue reported at the 2021 Tianfu Cup Pwn contest conducted by VMware.

The Response matrix for 3c and 3d was released by VMware.

3e. CVE-2021-22050 (ESXi slow HTTP POST Denial of Service Vulnerability)

Explanation

The rhttpproxy used by the ESXi has this slow HTTP POST denial of service vulnerability. VMware evaluated this issue and gave a CVSSv3 score of 5.3

If an attacker gains access to the network of ESXi, he can exploit this issue to create a denial of service attack by overwhelming the rhttpproxy service with too many requests.

Resolution and Acknowledgement

VMware has released a patch for this vulnerability.

This issue was reported to VMware by George Noseevich and Sergey Gerasimov of SolidLab LLC.
Response Matrix and Impacted Product Suites information is released by VMware.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles