=====================================================================

                                  CERT-Renater

                      Note d'Information No. 2024/VULN091
_____________________________________________________________________

DATE                : 07/03/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware ESXi, VMware Workstation,
                         VMware Fusion, VMware Cloud Foundation.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2024-0006.html
_____________________________________________________________________


Critical

Advisory ID:     VMSA-2024-0006.1
CVSSv3 Range:    7.1-9.3
Issue Date:      2024-03-05
Updated On:      2024-03-05
CVE(s):          CVE-2024-22252, CVE-2024-22253, CVE-2024-22254,
                  CVE-2024-22255
Synopsis:
VMware ESXi, Workstation, and Fusion updates address multiple security
vulnerabilities (CVE-2024-22252, CVE-2024-22253, CVE-2024-22254,
CVE-2024-22255)


1. Impacted Products

     VMware ESXi
     VMware Workstation Pro / Player (Workstation)
     VMware Fusion Pro / Fusion (Fusion)
     VMware Cloud Foundation (Cloud Foundation)

2. Introduction


Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were
privately reported to VMware. Updates are available to remediate these
vulnerabilities in affected VMware products.

The individual vulnerabilities documented on this VMSA for ESXi have
severity Important but combining these issues will result in Critical
severity.

3a. Use-after-free vulnerability in XHCI USB controller
(CVE-2024-22252)

Description

VMware ESXi, Workstation, and Fusion contain a use-after-free
vulnerability in the XHCI USB controller. VMware has evaluated the
severity of this issue to be in the Critical severity range with a
maximum CVSSv3 base score of 9.3 for Workstation/Fusion and in the
Important severity range with a maximum CVSSv3 base score of 8.4 for
ESXi.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual
machine may exploit this issue to execute code as the virtual
machine's VMX process running on the host. On ESXi, the exploitation
is contained within the VMX sandbox whereas, on Workstation and
Fusion, this may lead to code execution on the machine where
Workstation or Fusion is installed.

Resolution

To remediate CVE-2024-22252 apply the patches listed in the
'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2024-22252 have been listed in the 'Workarounds'
column of the 'Response Matrix' below.

Additional Documentation

A supplemental FAQ was created for clarification. Please see:
https://core.vmware.com/resource/vmsa-2024-0006-questions-answers

Notes

None.

Acknowledgements

VMware would like to thank Jiang YuHao, Ying XingLei & Zhang ZiMing
of Team Ant Lab working with the 2023 Tianfu Cup Pwn Contest and
Jiaqing Huang (@s0duku) & Hao Zheng (@zhz) from TianGong Team of
Legendsec at Qi'anxin Group for independently reporting this issue
to us.

3b. Use-after-free vulnerability in UHCI USB controller (CVE-2024-22253)

Description

VMware ESXi, Workstation, and Fusion contain a use-after-free
vulnerability in the UHCI USB controller. VMware has evaluated the
severity of this issue to be in the Critical severity range with a
maximum CVSSv3 base score of 9.3 for Workstation/Fusion and in the
Important severity range with a maximum CVSSv3 base score of 8.4 for
ESXi.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual
machine may exploit this issue to execute code as the virtual
machine's VMX process running on the host. On ESXi, the exploitation
is contained within the VMX sandbox whereas, on Workstation and
Fusion, this may lead to code execution on the machine where
Workstation or Fusion is installed.

Resolution

To remediate CVE-2024-22253 apply the patches listed in the 'Fixed
Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2024-22253 have been listed in the 'Workarounds'
column of the 'Response Matrix' below.

Additional Documentation

A supplemental FAQ was created for clarification. Please see:
https://core.vmware.com/resource/vmsa-2024-0006-questions-answers

Notes

None.

Acknowledgements

VMware would like to thank VictorV and Wei of Team CyberAgent working
with the 2023 Tianfu Cup Pwn Contest for reporting this issue to us.
3c. ESXi Out-of-bounds write vulnerability (CVE-2024-22254)

Description

VMware ESXi contains an out-of-bounds write vulnerability. VMware has
evaluated the severity of this issue to be in the Important severity
range with a maximum CVSSv3 base score of 7.9.

Known Attack Vectors

A malicious actor with privileges within the VMX process may
trigger an out-of-bounds write leading to an escape of the sandbox.

Resolution

To remediate CVE-2024-22254 apply the patches listed in the 'Fixed
Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

A supplemental FAQ was created for clarification. Please see:
https://core.vmware.com/resource/vmsa-2024-0006-questions-answers

Notes

None.

Acknowledgements

VMware would like to thank Jiang YuHao, Ying XingLei & Zhang ZiMing
of Team Ant Lab working with the 2023 Tianfu Cup Pwn Contest for
reporting this issue to us.

3d. Information disclosure vulnerability in UHCI USB controller
(CVE-2024-22255)

Description

VMware ESXi, Workstation, and Fusion contain an information disclosure
vulnerability in the UHCI USB controller. VMware has evaluated the
severity of this issue to be in the Important severity range with a
maximum CVSSv3 base score of 7.1.

Known Attack Vectors

A malicious actor with administrative access to a virtual machine may
be able to exploit this issue to leak memory from the vmx process.
Resolution

To remediate CVE-2024-22255 apply the patches listed in the 'Fixed
Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2024-22255 have been listed in the 'Workarounds'
column of the 'Response Matrix' below.

Additional Documentation

A supplemental FAQ was created for clarification. Please see:
https://core.vmware.com/resource/vmsa-2024-0006-questions-answers

Notes

None.

Acknowledgements

VMware would like to thank VictorV & Wei of Team CyberAgent working
with the 2023 Tianfu Cup Pwn Contest Contest and Jiaqing Huang
(@s0duku) & Hao Zheng (@zhz) from TianGong Team of Legendsec at
Qi'anxin Group for independently reporting this issue to us.


Response Matrix:

Product     Version     Running On     CVE Identifier     CVSSv3 
Severity     Fixed Version [1]     Workarounds Additional Documentation

ESXi    8.0    Any    CVE-2024-22252, CVE-2024-22253, CVE-2024-22254,
CVE-2024-22255    8.4, 8.4, 7.9, 7.1    critical
ESXi80U2sb-23305545    KB96682    FAQ

ESXi    8.0 [2]    Any    CVE-2024-22252, CVE-2024-22253,
CVE-2024-22254, CVE-2024-22255    8.4, 8.4, 7.9, 7.1    critical
ESXi80U1d-23299997    KB96682    FAQ

ESXi    7.0    Any    CVE-2024-22252, CVE-2024-22253, CVE-2024-22254,
CVE-2024-22255    8.4, 8.4, 7.9, 7.1    critical    ESXi70U3p-23307199
KB96682    FAQ

Workstation    17.x    Any    CVE-2024-22252, CVE-2024-22253,
CVE-2024-22255    9.3, 9.3, 7.1    critical    17.5.1    KB96682
None.

Fusion    13.x    MacOS    CVE-2024-22252, CVE-2024-22253,
CVE-2024-22255   9.3, 9.3, 7.1     critical    13.5.1    KB96682
None

[1] While Broadcom does not mention end-of-life products in the
Security Advisories, due to the critical severity of these
vulnerabilities Broadcom has made a patch available to customers with
extended support for ESXi 6.7 (6.7U3u), 6.5 (6.5U3v) and VCF 3.x.

[2] Because of the severity of these issues, Broadcom has made
additional patches available for ESXi 8.0 U1. If you do not plan to
update your environment to ESXi 8.0 Update 2b (build # 23305546), use
8.0 Update 1d to update your ESXi hosts of version 8.0 Update 1c
(build # 22088125) and earlier for these security fixes. The supported
update path from 8.0 Update 1d is to ESXi 8.0 Update 2b or later. For
more information, see the Product Interoperability Matrix.


Impacted Product Suites that Deploy Response Matrix Components:

Product     Version     Running On     CVE Identifier    CVSSv3 
Severity 	Fixed Version 	Workarounds 	Additional Documentation

Cloud Foundation (ESXi)    5.x/4.x    Any    CVE-2024-22252,
CVE-2024-22253, CVE-2024-22254, CVE-2024-22255    8.4, 8.4, 7.9, 7.1
critical    KB88287    KB96682    FAQ


4. References

VMware ESXi 8.0 ESXi-8.0U2sb-23305545
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80u2b-release-notes/index.html

VMware ESXi 8.0 ESXi80U1d-23299997
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80u1d-release-notes/index.html

VMware ESXi 7.0 ESXi70U3p-23307199
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3p-release-notes/index.html

Workstation Pro 17.5.1
Downloads and Documentation
https://customerconnect.vmware.com/downloads/info/slug/desktop_end_user_computing/vmware_workstation_pro/17_0
https://docs.vmware.com/en/VMware-Workstation-Pro/17.5.1/rn/vmware-workstation-1751-pro-release-notes/index.html

Fusion 13.5.1
Downloads and Documentation
https://customerconnect.vmware.com/en/downloads/info/slug/desktop_end_user_computing/vmware_fusion/13_0
https://docs.vmware.com/en/VMware-Fusion/13.5.1/rn/vmware-fusion-1351-release-notes/index.html

VMware Cloud Foundation 5.x/4.x
Downloads and Documentation:
https://kb.vmware.com/s/article/88287

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22252 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22253 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22254 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22255

FIRST CVSSv3 Calculator:
CVE-2024-22252:
ESXi: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Workstation/Fusion: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2024-22253: ESXi: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Workstation/Fusion: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2024-22254: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

CVE-2024-22255: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N


5. Change Log

2024-03-05 VMSA-2024-0006
Initial security advisory.

2024-03-05 VMSA-2024-0006.1
Corrected severity for ESXi and VCF in the response matrix.


6. Contact

E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog  https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC


Copyright 2024 Broadcom. All rights reserved.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================