Security News > 2024 > March > VMware patches critical flaws in ESXi, Workstation, Fusion and Cloud Foundation

VMware patches critical flaws in ESXi, Workstation, Fusion and Cloud Foundation
2024-03-07 13:04

VMware has fixed four vulnerabilities in ESXi, Workstation, Fusion and Cloud Foundation, some of which could allow attackers to escape the sandbox and execute code on the host machine.

VMware ESXi is a bare-metal hypervisor, VMware Workstation and Fusion are desktop hypervisors, and VMware Cloud Foundation is a hybrid cloud platform.

CVE-2024-22252 and CVE-2024-22253 affect VMware ESXi, Workstation, and Fusion and are critical use-after-free vulnerabilities in the XHCI and UHCI USB controller, respectively.

"A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed," the VMware security advisory says for both flaws.

CVE-2024-22255 is an information disclosure vulnerability in UHCI USB controller affecting VMware ESXi, Workstation, and Fusion.

Customers that have deployed VMware Workstation, VMware Fusion, and/or VMware ESXi as part of VMware vSphere, are also affected and should upgrade to vSphere 7 or 8.


News URL

https://www.helpnetsecurity.com/2024/03/07/cve-2024-22252-cve-2024-22253/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Vmware 146 11 222 256 102 591