A group of five security vulnerabilities could lead to a range of bad outcomes for virtual-machine enthusiasts, including command execution and DoS.
VMware has issued a critical security update to address issues in its ESXi, Fusion and Workstation products, including VMware Cloud Foundation versions. Exploitation could give attackers access to workloads inside organizations’ virtual environments.
The bugs have a range of 5.3 to 8.4 out of 10 on the CVSS vulnerability-severity scale, making them individually “important” or “moderate” issues. However, the virtualization giant noted that they can be chained together for worse outcomes: “Combining these issues may result in higher severity, hence the severity of this [advisory] is at severity level critical.”
VMware noted that patching VMware ESXi, Fusion and Workstation is the fastest method to resolve the issues, but organizations could also remove USB controllers from their VMs as a workaround. However, “that may be infeasible at scale…and does not eliminate the potential threat like patching does,” according to the advisory, issued Tuesday.
The issues are as follows:
CVE-2021-22040: Use-after-free vulnerability in XHCI USB controller (CVSS 8.4) CVE-2021-22041: Double-fetch vulnerability in UHCI USB controller (CVSS 8.4) CVE-2021-22042: ESXi ‘settingsd’ unauthorized access