VMware released security updates to address a critical-severity vulnerability impacting ESXi, Workstation, Fusion, and Cloud Foundation, and a critical-severity command injection flaw affecting vRealize Network Insight.
The VMware ESXi heap out-of-bounds write vulnerability is tracked as CVE-2022-31705 and has received a CVSS v3 severity rating of 9.3.
“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” mentions the security advisory.
“On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.”
The vulnerability impacts the following products:
ESXi 8.0 (fixed in ESXi 8.0a-20842819)
ESXi 7.0 (fixed in 7.0U3i-20842708)
Fusion 12.x (fixed in 12.2.5)
Workstation 16.x (fixed in 16.2.5)
Cloud Foundation 4.x/3.x (fixed in KB90336)
VMware Fusion 13.x and Workstation 17.x are not impacted by the flaw.
Because CVE-2022-31705 is in the USB 2.0 controller (EHCI), the recommended workaround for those who can’t apply the security update is to remove the USB controller from their instances.
VMware has released step-by-step instructions on how to apply the workaround on a VMware ESXi virtual machine, which also applies to the Cloud Foundation suite.
For VMware Workstation and VMware Fusion, follow these steps:
- Select Window > Virtual Machine Library.
- Select a virtual machine in the Virtual Machine Library window and click Settings.
- Under Removable Devices in the Settings window, click USB & Bluetooth.
- Under Advanced USB options, click Remove USB Controller.
- Click Remove in the confirmation dialog box.
- Select a virtual machine in the Library pane and select VM > Settings.
- On the Virtual Machine Settings dialog, go to the Hardware tab.
- Select the USB Controller entry and click Remove.
On a separate security bulletin, VMware gives details about CVE-2022-31702, a critical severity (CVSS v3: 9.8) vulnerability that allows command injection in the vRNI REST API of vRealize Network Insight versions 6.2 to 6.7.
The same security notice mentions a less severe (CVSS v3: 7.5) directory traversal flaw, CVE-2022-31703, that could enable a threat actor to read arbitrary files from the server. That flaw impacts the same product versions mentioned above.
VMware vRealize Network Insight 6.8.0 is not affected by these vulnerabilities.
The software vendor has released security updates to address the problem for all impacted versions, as indicated in the below table.
There are no workarounds for addressing these flaws, so the recommendation is to upgrade to the latest available version for your branch.