Overview

Broadcom has issued a security advisory addressing three critical zero-day vulnerabilities in multiple VMware products, including VMware ESXi, Workstation, and Fusion. The Microsoft Threat Intelligence Center (MSTIC) discovered these vulnerabilities and found them exploited in the wild. Organizations using the affected VMware products are strongly advised to apply the available patches immediately to mitigate the risks associated with these flaws.

Details of the Vulnerabilities

The identified vulnerabilities, tracked as CVE-2024-22224, CVE-2024-22225, and CVE-2024-22226, could allow attackers with administrative privileges to execute malicious code, escape sandbox environments, and leak sensitive information from memory. The severity of these vulnerabilities ranges from 7.1 to 9.3 on the CVSSv3 scale, making them critical concerns for organizations relying on VMware infrastructure.

1. CVE-2024-22224: VMware ESXi and Workstation Heap-Overflow Vulnerability

• Severity: Critical (CVSSv3 Score: 9.3)
• Description: This vulnerability is caused by a Time-of-Check Time-of-Use (TOCTOU) flaw in VMware ESXi and Workstation. It results in an out-of-bounds write, which an attacker with local administrative privileges can exploit to execute arbitrary code within the virtual machine’s executable (VMX) process on the host system.
• Impact: Exploitation can lead to full control over the VMX process, potentially allowing attackers to compromise the host machine.
• Mitigation: Organizations should apply the patches listed in the “Fixed Versions” section below.
• Workarounds: None available.

2. CVE-2024-22225: VMware ESXi Arbitrary Write Vulnerability

• Severity: Important (CVSSv3 Score: 8.2)
• Description: This vulnerability exists in VMware ESXi and allows attackers with necessary privileges to exploit the VMX process, resulting in arbitrary kernel writes. This can be used to escape the sandbox and execute malicious code on the host machine.
• Impact: Attackers may gain unauthorized access to critical system components and compromise virtualized environments.
• Mitigation: Organizations should apply the patches immediately.
• Workarounds: None available.
• Additional Resources: VMware has provided an FAQ document for further details on this vulnerability.

3. CVE-2024-22226: VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability

• Severity: Important (CVSSv3 Score: 7.1)
• Description: This vulnerability stems from an out-of-bounds read in HGFS (Host Guest File System), which allows attackers with administrative privileges to leak memory contents from the VMX process.
• Impact: Potential data leaks that can be leveraged for further exploitation or privilege escalation.
• Mitigation: Apply the recommended patches as listed below.
• Workarounds: None available.

Broadcom has confirmed that these vulnerabilities have been exploited in real-world attacks. However, no technical details or proof-of-concept (PoC) exploits have been publicly disclosed. Organizations should assume active exploitation and prioritize patching accordingly.

Recommended Solutions and Patch Details

VMware has released security patches for affected products. Organizations should update to the fixed versions listed below:

Additionally, VMware Cloud Foundation and VMware Telco Cloud Platform are affected. An asynchronous patch is available for VMware Cloud Foundation, while Telco Cloud Platform customers should update to a fixed ESXi version. Broadcom’s advisory provides further details.

Steps for Organizations

To minimize risks associated with these vulnerabilities, organizations should take the following actions:

1. Apply Patches Immediately: Update affected VMware products to the latest fixed versions.
2. Monitor Security Advisories: Regularly check VMware’s official advisories for updates.
3. Implement Network Segmentation: Restrict access to administrative interfaces of virtual machines to reduce potential attack vectors.
4. Enable Logging and Monitoring: Increase visibility into system activity to detect potential exploitation attempts.
5. Review Security Policies: Ensure virtualized environments follow best security practices, including the principle of least privilege.

Conclusion

The discovery of these zero-day vulnerabilities in VMware ESXi, Workstation, and Fusion emphasizes the need for timely patching and proactive security measures. Since these flaws are being actively exploited in the wild, organizations should prioritize updates and strengthen their security posture.

Following VMware’s guidance and adopting cybersecurity practices will help mitigate potential risks associated with these vulnerabilities.

References:

• https://www.mycert.org.my/portal/advisory?id=MA-1282.032025
• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

Related

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.