===================================================================== CERT-Renater Note d'Information No. 2022/VULN464 _____________________________________________________________________ DATE : 15/12/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware ESXi, VMware Workstation Pro / Player (Workstation), VMware Fusion Pro / Fusion (Fusion), VMware Cloud Foundation. ===================================================================== https://www.vmware.com/security/advisories/VMSA-2022-0033.html _____________________________________________________________________ Critical Advisory ID: VMSA-2022-0033 CVSSv3 Range: 5.9-9.3 Issue Date: 2022-12-13 Updated On: 2022-12-13 (Initial Advisory) CVE(s): CVE-2022-31705 Synopsis: VMware ESXi, Workstation, and Fusion updates address a heap out-of-bounds write vulnerability (CVE-2022-31705) 1. Impacted Products VMware ESXi VMware Workstation Pro / Player (Workstation) VMware Fusion Pro / Fusion (Fusion) VMware Cloud Foundation 2. Introduction A heap out-of-bounds write vulnerability in VMware ESXi, Workstation, and Fusion was privately reported to VMware. Updates and workarounds are available to remediate this vulnerability in affected VMware products. 3. Heap out-of-bounds write vulnerability in EHCI controller (CVE-2022-31705) Description VMware ESXi, Workstation, and Fusion contain a heap out-of-bounds write vulnerability in the USB 2.0 controller (EHCI). VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3. Known Attack Vectors A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed. Resolution To remediate CVE-2022-31705 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds Workarounds for CVE-2022-31705 have been listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation None. Acknowledgements VMware would like to thank the organizers of GeekPwn 2022 and Yuhao Jiang for reporting this issue to us. Notes None. Response Matrix: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation ESXi 8.0 Any CVE-2022-31705 5.9 moderate ESXi80a-20842819 KB87617 None ESXi 7.0 Any CVE-2022-31705 5.9 moderate ESXi70U3si-20841705 KB87617 None Fusion 13.x OS X CVE-2022-31705 N/A N/A Unaffected N/A N/A Fusion 12.x OS X CVE-2022-31705 9.3 critical 12.2.5 KB79712 None Workstation 17.x Any CVE-2022-31705 N/A N/A Unaffected N/A N/A Workstation 16.x Any CVE-2022-31705 9.3 critical 16.2.5 KB79712 None Impacted Product Suites that Deploy Response Matrix Components: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Cloud Foundation (ESXi) 4.x/3.x Any CVE-2022-31705 5.9 moderate KB90336 KB87617 None 4. References VMware ESXi 8.0 ESXi80a-20842819 Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80a-release-notes/index.html VMware ESXi 7.0 ESXi70U3si-20841705 Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3i-release-notes.html VMware Workstation 16.2.5 \https://customerconnect.vmware.com/en/downloads/info/slug/desktop_end_user_computing/vmware_workstation_pro/16_0 https://docs.vmware.com/en/VMware-Workstation-Pro/16.2.5/rn/vmware-workstation-1625-pro-release-notes/index.html VMware Fusion 12.2.5 Downloads and Documentation: https://customerconnect.vmware.com/downloads/info/slug/desktop_end_user_computing/vmware_fusion/12_0 https://docs.vmware.com/en/VMware-Fusion/12.2.5/rn/vmware-fusion-1225release-notes/index.html KBs: https://kb.vmware.com/s/article/87617 https://kb.vmware.com/s/article/79712 https://kb.vmware.com/s/article/90336 Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31705 FIRST CVSSv3 Calculator: CVE-2022-31705 ESXi: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Workstation/Fusion: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 5. Change Log 2022-12-13 VMSA-2022-0033 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2022 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================