Security News > 2024 > March > VMware urges emergency action to blunt hypervisor flaws
Hypervisor heavyweight VMware by Broadcom yesterday revealed its hypervisors are not quite so inviolable as it might like.
The nastiest two - CVE-2024-22252 and 22253 - are rated 9.3/10 on VMware's Workstation and Fusion desktop hypervisors and 8.4 on the ESXi server hypervisor.
Under ESXi it will run in the VMX process that encapsulates each guest VM. In an FAQ, VMware rated the two flaws an emergency change, as defined by the IT Infrastructure Library.
Workarounds for the flaws even apply to vSphere 6.x - a now unsupported version of VMware's flagship server virtualization platform.
The FAQ adds: "That said, most Windows and Linux versions support use of the virtual PS/2 mouse and keyboard," and removing unnecessary devices such as USB controllers is recommended as part of the security hardening guidance VMware publishes.
These look significant, but short of total takeovers of the hypervisor that would allow an attacker to control fleets of VMs. Interestingly, some of the flaws were discovered by researchers at 2023's Tianfu Cup Pwn Contest - China's equivalent of the Pwn2Own infosec attack-fest.
News URL
https://go.theregister.com/feed/www.theregister.com/2024/03/07/vmware_usb_critical_flaws/