VMware Issues Patches for Shell Injection and Privilege Vulnerability

VMware had multiple issues that were privately reported. VMware swiftly acted on the reported issues and released patches for all the critical vulnerabilities. The vulnerability details are as follows

Advisory ID:
VMSA-2022-0004
CVSSv3 Range:
5.3-8.4
Issue Date:
2022-02-15
Updated On:
2022-02-15 (Initial Advisory)

CVE(s):

CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050

Synopsis:

VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities (CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050)

Products that were Impacted

• VMware ESXi
• VMware Workstation Pro / Player (Workstation)
• VMware Fusion Pro / Fusion (Fusion)
• VMware Cloud Foundation (Cloud Foundation)

3a. CVE-2021-22040 (Use-after-free Vulnerability in XHCI USB Controller)

Explanation

With a local administrative privilege on a virtual machine, a threat actor can use this issue to execute code as the virtual machine’s VMX process running on the host.

It seems like the VMware ESXi, Workstation and Fusions were vulnerable to this issue. This issue has a CVSSv3 base score of 8.4

Resolution and Acknowledgement

To resolve this critical vulnerability a patch has been released by VMware. VMware also thanked Wei of Kunlun Lab for reporting this issue at the 2021 Tianfu Cup Pwn contest.

3b. CVE-2021-22041 (Double-Fetch Vulnerability in UHCI USB controller)

Explanation

Just like CVE-2021-22040, a malicious actor with local admin privilege who uses this issue can execute code as a virtual machine’s VMX process running on the host. However, for this issue to be exploited an isochronous USB endpoint must be available to the virtual machine.

VMware ESXi, Workstation, and Fusion were the products affected by this vulnerability making the CVSSv3 score as 8.4

Resolution and Acknowledgement

VMware has released patches to resolve this vulnerability. This issue was reported by VictorV of Kunlun Lab at the 2021 Tianfu Cup Pwn. The Response Matrix and the impacted product suites for 3a and 3b have been released by VMware.

3c. CVE-2021-22042 (ESXi settingsd unauthorized access Vulnerability)

Explanation

The VMware ESXi was found to be vulnerable to unauthorized access since the VMX has access to settings authorization tickets. On further evaluation, VMware gave a CVSSv3 score of 8.2 for this issue. The attacker must be with privileges within the VMX process in order to access the settingsd service as a high privileged user.

Resolution and Acknowledgement

VMware has released patches for this vulnerability. This was also reported by Wei of Kunlun Lab at the 2021 Tianfu Cup Pwn contest.

3d. CVE-2021-22043 (ESXi settingsd TOCTOU Vulnerability)

Explanation

This issue was due to the way of handling temporary files by the TOCTOU (Time-of-Check Time-Of-Use) in VMware ESXi. 

An attacker with access to settingsd will be able to exploit this issue resulting in privilege escalation by writing arbitrary files.

Resolution and Acknowledgement

Patches are released to fix this issue. 

Wei from Kunlun Lab found this issue reported at the 2021 Tianfu Cup Pwn contest conducted by VMware.

The Response matrix for 3c and 3d was released by VMware.

3e. CVE-2021-22050 (ESXi slow HTTP POST Denial of Service Vulnerability)

Explanation

The rhttpproxy used by the ESXi has this slow HTTP POST denial of service vulnerability. VMware evaluated this issue and gave a CVSSv3 score of 5.3

If an attacker gains access to the network of ESXi, he can exploit this issue to create a denial of service attack by overwhelming the rhttpproxy service with too many requests.

Resolution and Acknowledgement

VMware has released a patch for this vulnerability.

This issue was reported to VMware by George Noseevich and Sergey Gerasimov of SolidLab LLC.
Response Matrix and Impacted Product Suites information is released by VMware.