Feb 16, 2022
52 Views
0 0

Critical VMware Bugs Open ESXi, Fusion & Workstation to Attackers

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
A group of five security vulnerabilities could lead to a range of bad outcomes for virtual-machine enthusiasts, including command execution and DoS.
VMware has issued a critical security update to address issues in its ESXi, Fusion and Workstation products, including VMware Cloud Foundation versions. Exploitation could give attackers access to workloads inside organizations’ virtual environments.
The bugs have a range of 5.3 to 8.4 out of 10 on the CVSS vulnerability-severity scale, making them individually “important” or “moderate” issues. However, the virtualization giant noted that they can be chained together for worse outcomes: “Combining these issues may result in higher severity, hence the severity of this [advisory] is at severity level critical.”

VMware noted that patching VMware ESXi, Fusion and Workstation is the fastest method to resolve the issues, but organizations could also remove USB controllers from their VMs as a workaround. However, “that may be infeasible at scale…and does not eliminate the potential threat like patching does,” according to the advisory, issued Tuesday.
The issues are as follows:
The first two important-rated issues (CVE-2021-22040, CVE-2021-22041) are found in the USB controllers for VMware ESXi, Fusion and Workstation. If exploited, a malicious actor with local administrative privileges on a virtual machine (VM) would be able to execute code as the VM’s Virtual Machine Extension (VMX) process running on the host.
The VMX process runs in the VMkernel and is responsible for handling input/output (I/O) to devices that are not critical to performance, according to VMware’s documentation.
The next two issues, also rated important (CVE-2021-22042, CVE-2021-22043), affect the ‘settingsd’ command, which is responsible for settings and host logs, among other things.
The first involves the VMX having unauthorized access to settingsd authorization tickets. That means that a malicious actor with privileges within the VMX process could access the settingsd service running as a high-privileged user.
The second, a time-of-check time-of-use vulnerability, can be chained with the first. It exists in the way temporary files are handled, and it would allow an attacker with access to settingsd to escalate privileges by writing arbitrary files, according to VMware.
The final bug (CVE-2021-22050) is the lone “moderate” vulnerability in the group. It only affects the ESXi platform and could allow adversaries to create a denial-of-service (DoS) condition on the hosts by overwhelming the “rhttpproxy” service with multiple requests.
A successful exploit requires that the malicious actors already have network access to ESXi, according to the vendor.
This is the second major patch release this year affecting this particular trio of products. Full details of which patches should be applied to remediate the dangers are available in VMware’s advisory.
The company said that so far, no in-the-wild attacks have been seen targeting the bugs, though that is likely to quickly change if past is prelude, so admins should patch quickly.
Join Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion, “The Secret to Keeping Secrets,” sponsored by Keeper Security, will focus on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.
Share this article:
On the plus side, only instances with non-standard not recommended configurations are vulnerable. On the downside, those configurations aren’t easy to track down, and it’s easy as pie to exploit.
SquirrelWaffle attackers now use typosquatting to keep sending spam, even after Exchange servers are patched for ProxyLogon/ProxyShell.
The year’s 1st Chrome zero-day can lead to all sorts of misery, ranging from data corruption to the execution of arbitrary code on vulnerable systems.



This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities

Comments are closed.