VMware has released a patch for vulnerability in multiple products such as ESXi, Workstation, Fusion, and Cloud Foundation. Tracked as CVE-2022-31705, it is a heap Out-Of-Bounds write vulnerability that could allow code execution on vulnerable systems. The vulnerability is rated as critical and provided a CVSSv3 score of 9.3.
Description
CVE-2022-321705 is a heap Out-Of-Bounds write vulnerability that affects VMware ESXi, Workstation, and Fusion. An attacker must have local administrative privileges on a virtual machine to exploit this vulnerability. On successful exploitation, an attacker can execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox. On the other hand, exploitation on Workstation and Fusion may lead to code execution on the machine where Workstation or Fusion is installed.
Affected versions
- Cloud Foundation 4.x/3.x
- Fusion 12.x prior to 12.2.5
- Workstation 16.x prior to 16.2.5
- VMware ESXi 8.0.x prior build version 20842819
- VMware ESXi 7.0.x prior to build version 20841705
Mitigation
VMware has released patches to address the vulnerability. Customers can refer to VMware Security Advisory (VMSA-2022-0033) to know more about mitigation.
Workaround
VMware Workstation and VMware Fusion (79712)
The following steps needed to be followed to remove the USB controller on VMware Workstation and VMware Fusion:
Prerequisites
Shut down or power off the virtual machine. The setting cannot be changed when the virtual machine is powered on or suspended.
For Fusion:
- Select Window > Virtual Machine Library.
- Select a virtual machine in the Virtual Machine Library window and click Settings.
- Under Removable Devices in the Settings window, click USB & Bluetooth.
- Under Advanced USB options, click Remove USB Controller.
- Click Remove in the confirmation dialog box.
For Workstation:
- Select a virtual machine in the Library pane and select VM > Settings.
- On the Virtual Machine Settings dialog, go to the Hardware tab.
- Select the USB Controller entry and click Remove.
For more information, please refer to KB79712.
Please visit KB87617 to read the workaround to remove the USB controller on VMware ESXi virtual machine.
Qualys Detection
Qualys customers can scan their devices with QIDs 377837, 377839, 216301, and 216302 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://kb.vmware.com/s/article/79712
https://kb.vmware.com/s/article/87617
https://www.vmware.com/security/advisories/VMSA-2022-0033.html