Critical vulnerabilities in VMware products (March 5, 2024)

Sicherheit (Pexels, allgemeine Nutzung)[German]A short addendum from last week. I recently reported on updates to VMware products. VMware has now classified certain vulnerabilities in its virtualization products as critical in a security advisory. It should therefore be patched quickly, if not already done. Addendum: I have just seen that around 1,800 VMware ESXi installations in Germany are potentially affected.


In my German blog post VMware Produktportfolio: Interna der Lizenzierung; und Lenovo ist seit 27. Feb. 2024 raus I reported on updates to VMware Workstation and Player to version 17.5.1. VMware had published the release notes here. A German blog reader pointed out the VMware Security Advisory 2024-0006. An update from March 5, 2024 deals with the vulnerabilities CVE-2024-22252, CVE-2024-22253, CVE-2024-22254 and CVE-2024-22255. VMware has released security updates to close these vulnerabilities in VMware ESXi, Workstation and Fusion.

While CVE-2024-22251 quoted first as "moderate", it's now classified as "critical". There are now four new severe or critical CVEs: 22252, 22253, 22254, 22255 for the following VMware products:

ESXi, Workstation Pro/Player, Fusion/Pro, Cloud Foundation

und folgende Schwachstellen:

  • Use-after-free XHCI USB controller (CVE-2024-22252)
  • Use-after-free UHCI USB controller (CVE-2024-22253)
  • ESXi Out-of-bounds write (CVE-2024-22254)
  • Information disclosure UHCI USB controller (CVE-2024-22255)

The vulnerability CVE-2024-22254 (Out-of-bounds write) in ESXi server allows an attacker with VMX process privileges to write outside the specified memory area (bounds), which can lead to a breakout from the sandbox.

All ESXi versions of 6.5, 6.7, 7.0, 8.0 ; Workstation 17.x ; Fusion 13.x and VCF 3.x are affected. The colleagues from Bleeping Computer had also reported here about that (I was off road and could not post that).


Vulnerability CVE-2024-22252 affects systems

ShadowServer has published statistics on ESXi systems that are vulnerable to the CVE-2024-22252 vulnerability. The tweet reads:

We are scanning & sharing VMware ESXi instances which have vulnerabilities that could allow a malicious actor with local admin privileges to escape sandbox protections – Tagged as "cve-2024-22252". Based on version checks, we see ~16.5K vulnerable.

In the USA are about 1,022 VMware ESXi systems potentially affected.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software, Update, Virtualization and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *