===================================================================== CERT-Renater Note d'Information No. 2021/VULN075 _____________________________________________________________________ DATE : 15/02/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware ESXi, VMware Workstation Pro / Player (Workstation), VMware Fusion Pro / Fusion (Fusion), VMware Cloud Foundation (Cloud Foundation). ===================================================================== https://www.vmware.com/security/advisories/VMSA-2022-0004.html _____________________________________________________________________ Critical Advisory ID: VMSA-2022-0004 CVSSv3 Range: 5.3-8.4 Issue Date: 2022-02-15 Updated On: 2022-02-15 (Initial Advisory) CVE(s): CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050 Synopsis: VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities (CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050) 1. Impacted Products VMware ESXi VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) VMware Cloud Foundation (Cloud Foundation) 2. Introduction Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. The individual vulnerabilities documented on this VMSA have severity Important/Moderate but combining these issues may result in higher severity, hence the severity of this VMSA is at severity level Critical. 3a. Use-after-free vulnerability in XHCI USB controller (CVE-2021-22040) Description VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller.VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.4. Known Attack Vectors A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. Resolution To remediate CVE-2021-22040 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds Workarounds for CVE-2021-22040 have been listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0004-qna. Notes [1] VMware recommends taking ESXi670-202201001 released on January 25, 2022 over ESXi670-202111101-SG released on November 23, 2021 since ESXi670-202201001 also resolves non-security related issues (documented in https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202201001.html). Acknowledgements VMware would like to thank Wei of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us. 3b. Double-fetch vulnerability in UHCI USB controller (CVE-2021-22041) Description VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.4. Known Attack Vectors A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. Resolution To remediate CVE-2021-22041 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds Workarounds for CVE-2021-22041 have been listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0004-qna. Notes Successful exploitation of this issue requires an isochronous USB endpoint to be made available to the virtual machine. [1] VMware recommends taking ESXi670-202201001 released on January 25, 2022 over ESXi670-202111101-SG released on November 23, 2021 since ESXi670-202201001 also resolves non-security related issues (documented in https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202201001.html). Acknowledgements VMware would like to thank VictorV of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us. Response Matrix: - 3a & 3b Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation ESXi 7.0 U3 Any CVE-2021-22040, CVE-2021-22041 8.4 Important ESXi70U3c-19193900 KB87349 FAQ ESXi 7.0 U2 Any CVE-2021-22040, CVE-2021-22041 8.4 Important ESXi70U2e-19290878 KB87349 FAQ ESXi 7.0 U1 Any CVE-2021-22040, CVE-2021-22041 8.4 Important ESXi70U1e-19324898 KB87349 FAQ ESXi 6.7 Any CVE-2021-22040, CVE-2021-22041 8.4 Important [1] ESXi670-202111101-SG KB87349 FAQ ESXi 6.5 Any CVE-2021-22040, CVE-2021-22041 8.4 Important ESXi650-202202401-SG KB87349 FAQ Fusion 12.x OS X CVE-2021-22040, CVE-2021-22041 8.4 Important 12.2.1 KB87349 FAQ Workstation 16.x Any CVE-2021-22040, CVE-2021-22041 8.4 Important 16.2.1 KB87349 FAQ Impacted Product Suites that Deploy Response Matrix 3a & 3b Components: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Cloud Foundation (ESXi) 4.x Any CVE-2021-22040, CVE-2021-22041 8.4 Important 4.4 KB87349 FAQ Cloud Foundation (ESXi) 3.x Any CVE-2021-22040, CVE-2021-22041 8.4 Important 3.11 KB87349 FAQ 3c. ESXi settingsd unauthorized access vulnerability (CVE-2021-22042) Description VMware ESXi contains an unauthorized access vulnerability due to VMX having access to settingsd authorization tickets. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2. Known Attack Vectors A malicious actor with privileges within the VMX process only, may be able to access settingsd service running as a high privileged user. Resolution To remediate CVE-2021-22042 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0004-qna. Notes None. Acknowledgements VMware would like to thank Wei of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us. 3d. ESXi settingsd TOCTOU vulnerability (CVE-2021-22043) Description VMware ESXi contains a TOCTOU (Time-of-check Time-of-use) vulnerability that exists in the way temporary files are handled. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2. Known Attack Vectors A malicious actor with access to settingsd, may exploit this issue to escalate their privileges by writing arbitrary files. Resolution To remediate CVE-2021-22043 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0004-qna. Notes None. Acknowledgements VMware would like to thank Wei of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us. Response Matrix: - 3c & 3d Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation ESXi 7.0 U3 Any CVE-2021-22042, CVE-2021-22043 8.2 Important ESXi70U3c-19193900 None FAQ ESXi 7.0 U2 Any CVE-2021-22042, CVE-2021-22043 8.2 Important ESXi70U2e-19290878 None FAQ ESXi 7.0 U1 Any CVE-2021-22042, CVE-2021-22043 8.2 Important ESXi70U1e-19324898 None FAQ ESXi 6.7 Any CVE-2021-22042, CVE-2021-22043 N/A N/A Unaffected N/A N/A ESXi 6.5 Any CVE-2021-22042, CVE-2021-22043 N/A N/A Unaffected N/A N/A Impacted Product Suites that Deploy Response Matrix 3c & 3d Components: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Cloud Foundation (ESXi) 4.x Any CVE-2021-22042, CVE-2021-22043 8.2 Important 4.4 None FAQ Cloud Foundation (ESXi) 3.x Any CVE-2021-22042, CVE-2021-22043 N/A N/A Unaffected N/A N/A 3e. ESXi slow HTTP POST denial of service vulnerability (CVE-2021-22050) Description ESXi contains a slow HTTP POST denial-of-service vulnerability in rhttpproxy. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. Known Attack Vectors A malicious actor with network access to ESXi may exploit this issue to create a denial-of-service condition by overwhelming rhttpproxy service with multiple requests. Resolution To remediate CVE-2021-22050 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0004-qna. Notes [1] VMware recommends taking ESXi670-202201001 released on January 25, 2022 over ESXi670-202111101-SG released on November 23, 2021 since ESXi670-202201001 also resolves non-security related issues (documented in https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202201001.html). Acknowledgements VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation ESXi 7.0 Any CVE-2021-22050 5.3 Moderate ESXi70U3c-19193900 None FAQ ESXi 6.7 Any CVE-2021-22050 5.3 Moderate [1] ESXi670-202111101-SG None FAQ ESXi 6.5 Any CVE-2021-22050 5.3 Moderate ESXi650-202110101-SG None FAQ Impacted Product Suites that Deploy Response Matrix 3e Components: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Cloud Foundation (ESXi) 4.x Any CVE-2021-22050 5.3 Moderate 4.4 None FAQ Cloud Foundation (ESXi) 3.x Any CVE-2021-22050 5.3 Moderate 3.11 None FAQ 4. References VMware ESXi 7.0 ESXi70U3c-19193900 https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3c-release-notes.html VMware ESXi 7.0 ESXi70U2e-19290878 https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u2e-release-notes.html VMware ESXi 7.0 ESXi70U1e-19324898 https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1e.html VMware ESXi 6.7 ESXi670-202111101-SG https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202111001.html VMware ESXi 6.5 ESXi650-202202401-SG https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202202001.html VMware ESXi 6.5 ESXi650-202110101-SG https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202110001.html VMware Cloud Foundation 4.4 Downloads and Documentation: https://docs.vmware.com/en/VMware-Cloud-Foundation/4.4/rn/VMware-Cloud-Foundation-44-Release-Notes.html VMware Cloud Foundation 3.11 Downloads and Documentation: https://docs.vmware.com/en/VMware-Cloud-Foundation/3.11/rn/VMware-Cloud-Foundation-311-Release-Notes.html VMware Workstation Player 16.2.1 https://www.vmware.com/go/downloadplayer https://docs.vmware.com/en/VMware-Workstation-Player/index.html VMware Fusion 12.2.1 Downloads and Documentation: https://www.vmware.com/go/downloadfusion https://docs.vmware.com/en/VMware-Fusion/index.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22040 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22041 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22042 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22043 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22050 FIRST CVSSv3 Calculator: CVE-2021-22040: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-22041: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-22042: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-22043: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-22050: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 5. Change Log 2022-02-15 VMSA-2022-0004 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2022 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================