Security News > 2024 > March > VMware urges emergency action to blunt hypervisor flaws

VMware urges emergency action to blunt hypervisor flaws
2024-03-07 07:30

Hypervisor heavyweight VMware by Broadcom yesterday revealed its hypervisors are not quite so inviolable as it might like.

The nastiest two - CVE-2024-22252 and 22253 - are rated 9.3/10 on VMware's Workstation and Fusion desktop hypervisors and 8.4 on the ESXi server hypervisor.

Under ESXi it will run in the VMX process that encapsulates each guest VM. In an FAQ, VMware rated the two flaws an emergency change, as defined by the IT Infrastructure Library.

Workarounds for the flaws even apply to vSphere 6.x - a now unsupported version of VMware's flagship server virtualization platform.

The FAQ adds: "That said, most Windows and Linux versions support use of the virtual PS/2 mouse and keyboard," and removing unnecessary devices such as USB controllers is recommended as part of the security hardening guidance VMware publishes.

These look significant, but short of total takeovers of the hypervisor that would allow an attacker to control fleets of VMs. Interestingly, some of the flaws were discovered by researchers at 2023's Tianfu Cup Pwn Contest - China's equivalent of the Pwn2Own infosec attack-fest.


News URL

https://go.theregister.com/feed/www.theregister.com/2024/03/07/vmware_usb_critical_flaws/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Vmware 146 11 222 256 102 591