VMWare has released patches and workarounds for various products (including ESXi 6.5, 6.7 and 7, Fusion 12.x, Workstation 16.x, and VMware Cloud Foundation) to address a key security vulnerability that could be exploited by threat actors to gain control of the affected systems.
Technical Detail & Additional Information
WHAT IS THE THREAT?
These workarounds address a heap-overflow vulnerability — tracked as CVE-2021-22045 (CVSS score: 7.7 out of 10) — that, if successfully exploited, may result in remote code execution (RCE). Heap overflows are memory issues that can result in data corruption or unexpected behavior in any process that accesses the affected memory area. In this case, the problem lies in the CD-ROM device emulation function of the affected products, so successful exploitation requires a CD image be attached to the VM. The issue stems from a lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. A malicious actor with access to an affected virtual machine (VM) with CD-ROM device emulation may be able to exploit this vulnerability if it is found in conjunction with other issues (for example, an information-disclosure vulnerability). Although the bug allows an untrusted guest operating system (OS) user to execute code on the hypervisor, an attacker would not have control over the data written and exploitation would be difficult—hence why the bug must be found in conjunction with other issues successful exploitation. If successful though, an attacker could compromise the host OS of the hypervisor. Taking over a hypervisor, which is highly privileged software that creates and runs VMs and governs how resources (such as memory and processing) are shared among them, can give threat actors an avenue to access data and applications, execute code, and install files on the VMs it controls.
WHY IS IT NOTEWORTHY?
VMware’s virtualization solutions are widely deployed across enterprises, so their products are a popular target for threat actors to deploy exploits across potentially vulnerable networks. To mitigate the risk of a successful attack, organizations should move quickly to patch and perform workarounds to their affected systems as threat actors move fast to maximize their likelihood of finding vulnerable targets. For example, just days after a critical RCE vulnerability (tracked as CVE-2021-22005) in VMware vCenter was disclosed, a full working exploit was public and being used in the wild. ESXi users are especially at risk as multiple VMs share the same hard-drive storage, creating a one-stop shop of sorts for attacks as threat actors can target the centralized virtual hard drives used to store data from across VMs. This allows threat actors to attack multiple VMs at once, making ESXi servers a very attractive target for ransomware groups, including REvil, HelloKitty, and DarkSide.
WHAT IS THE EXPOSURE OR RISK?
Affected product versions are as follows: ESXi 6.5, 6.7 and 7 (version 7 remains unpatched for now); Fusion 12.x; Workstation 16.x; and all versions of VMware Cloud Foundation.
WHAT ARE THE RECOMMENDATIONS?
Patch ESXi 6.5, 6.7 immediately. Apply workarounds for the affected product versions for which there are not yet patches. Patches and workarounds for each affected product can be found in the vendor’s advisory. For example, as of 1/8/2022, there is not yet a patch for ESXi version 7. Until one is released, the recommends that users disable all CD-ROM/DVD devices on all running virtual machines to prevent potential exploitation.
- Log in to your vCenter Server system using the vSphere Web Client.
- Right-click the virtual machine and click “Edit Settings”.
- Select the CD/DVD drive and uncheck “Connected” and “Connect at power on”, then remove any attached ISOs.
Please see VMWare’s vendor advisory for more information on patches and workarounds, listed by product type.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.