VMware Sandbox Escape Bugs Are So Critical, Patches Are Released For End-of-Life Products

An anonymous reader quotes a report from Ars Technica: VMware is urging customers to patch critical vulnerabilities that make it possible for hackers to break out of sandbox and hypervisor protections in all versions, including out-of-support ones, of VMware ESXi, Workstation, Fusion, and Cloud Foundation products. A constellation of four vulnerabilities -- two carrying severity ratings of 9.3 out of a possible 10 -- are serious because they undermine the fundamental purpose of the VMware products, which is to run sensitive operations inside a virtual machine that's segmented from the host machine. VMware officials said that the prospect of a hypervisor escape warranted an immediate response under the company's IT Infrastructure Library, a process usually abbreviated as ITIL.

"In ITIL terms, this situation qualifies as an emergency change, necessitating prompt action from your organization," the officials wrote in a post. "However, the appropriate security response varies depending on specific circumstances." Among the specific circumstances, one concerns which vulnerable product a customer is using, and another is whether and how it may be positioned behind a firewall. A VMware advisory included the following matrix showing how the vulnerabilities -- tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255 -- affect each of the vulnerable products [...]. Three of the vulnerabilities affect the USB controller the products use to support peripheral devices such as keyboards and mice.

Broadcom, the VMware parent company, is urging customers to patch vulnerable products. As a workaround, users can remove USB controllers from vulnerable virtual machines, but Broadcom stressed that this measure could degrade virtual console functionality and should be viewed as only a temporary solution. In an article explaining how to remove a USB controller, officials wrote: "The workaround is to remove all USB controllers from the Virtual Machine. As a result, USB passthrough functionality will be unavailable. In addition, virtual/emulated USB devices, such as VMware virtual USB stick or dongle, will not be available for use by the virtual machine. In contrast, the default keyboard/mouse as input devices are not affected as they are, by default, not connected through USB protocol but have a driver that does software device emulation in the guest OS.

IMPORTANT:
Certain guest operating systems, including Mac OS, do not support using a PS/2 mouse and keyboard. These guest operating systems will be left without a mouse and keyboard without a USB controller."

Well, now I'm eating crow

[Powercntrl]

Just earlier today I posted this. [slashdot.org] I guess I take it back, it probably isn't a good idea to be mucking around clicking on Facebook's sketchy sponsors in a VM.

Re:

[ls671]

VMs aren't VMware specific. I haven't used a VMware vm for ages. Anyway, I guess I'll keep my eyes open for similar vulnerabilities in qemu/kvm.

Re:

[saloomy]

Smart. With the Broadcom acquisition, our next refresh will probably be some other hypervisor. Fuck that. In any case, VMware is not patching ESXi 6.7. The headline is misleading.

Re:

[echo123]

In any case, VMware is not patching ESXi 6.7.

Read my comment here [slashdot.org]. (I read your comment after I wrote that one.). There's a link to all the patches to bring you all the way up-to-date, using easy, well-documented commands.

Re:

[fuzzyfuzzyfungus]

There was a somewhat similar(also a bug in the virtual USB device allowing manipulation of the VM host from inside a guest with virtual USB a few years ago [nist.gov]. There have also been a couple(CVE-2015-3456 and CVE-2021-3507) targeting the virtual floppy drive device.

They seem to be relatively rare; though tend to be pretty alarming when they do come up because their relative rarity means that people often treat a hypervisor as a reliable security boundary so there isn't necessarily a lot of backup built in to

Re:

[Z00L00K]

Well, we can't predict everything.

What I see is that for some it's not possible to disable the USB on the virtual machine since the software that's executing on the VM needs a hardware lock that's on USB.

That's quite common when it comes to some software in the industry.

Re:

[fuzzyfuzzyfungus]

There are some 'usb devices over IP' software offerings that add a virtual USB root and can be used to connect USB devices that are physically connected to other hosts(obviously this works better with relatively low-bandwidth and latency-insensitive things; it's more about license dongles and USB to serial converters than video capture devices); so you do have options(and those offerings also tend to have explicit support for relatively easy switching of the USB devices being redirected between multiple hos

Re:

[DarkOx]

This was one of the first things that come to my mind too. This things are actually pretty common in "private clouds" because they provide one of the only easy/obvious ways to deal with things like license-dongles, hardware security keys, etc that connect over USB but you want to be able to migrate VMs across physical hosts.

So a lot of these rather chintzy devices are connected to pretty high value targets.

That said exploiting them as an attacker would be challenging, you probably need code execution on the

Re:

[Kernel Kurtz]

Nothing is completely safe. VMs are an added layer of security, but they should certainly not be the only one.

Re:

[ctilsie242]

I wonder if there can be some things done to mitigate attacks in a VM. For example, a few years ago when every site required Flash, I would not just browse the web in a virtual machine, but as a unprivileged user, and if possible, in some sort of sandbox, like FireJail, which would help against all but CPU level attacks (Spectre/Meltdown).

Stuff escaping on a CPU level can be very scary, just because so much in a company depends on stuff staying inside virtual machines or containers. For example, on a larg

Re:

[Kernel Kurtz]

I wonder if there can be some things done to mitigate attacks in a VM.

Beyond the usual firewalls, malware scanners, VPNs, browser extensions, etc., you could always run nested VMs with different hypervisors. Say a Proxmox VM on a Virtualbox guest, or Hyper-V on a Vmware guest, or the reverse. Obviously this will require some configuration work and suitable computing horsepower.

Re:

[Anonymous Coward]

It doesn't work the way you think.

Most of the known issues can poke all the way through any number of layers to the host. Also, vulnerabilities like this in virtual machines have been known far longer than anyone thinks and there are lingering holes that still work today.

It's funny they think this is worthy of a 9.3. Just imagine if they knew the truth.

Re:

[ctilsie242]

Even if one nests a VM a ton of times, if the VM can execute code on the processor, it can escape.

What -might- work are Bochs style virtual machines, where the VM emulates the CPU, instruction by instruction. Downside of this is that this type of complete virtualization is very slow, and it needs to be secure to ensure that the virtualization code doesn't allow translation bugs. However, this is a way to ensure that any oddball bugs are not allowed to touch a hardware CPU.

Re:

[Kernel Kurtz]

Yes, no argument here. Nesting will protect against some classes of hypervisor bugs, but not all of them. Obviously in some cases VMs provides no additional security at all as everything touches the CPU in the end. As a practical matter I still consider them another layer in a proper layered security posture.

Re:

[fuzzyfuzzyfungus]

It wouldn't be surprising if there will be some demand for bite-sized physical machines from people who think that they can't assume hypervisors will be security boundaries; but I suspect that getting actual improvement will be harder than it looks; especially if you aren't willing to sacrifice convenience:

VMs are, certainly, in no small part about utilization and economies of scale: until you get to the point of systems 'big' enough that they seriously restrict your choice of vendors(eg. basically every

Re:

[ctilsie242]

This does bring up a point... how confident can one be that hypervisors will be solid security boundaries? If CPU issues like what we have had are fixed and dealt with, that is one thing, similar to how we don't worry about floating point division due to the Pentium's FDIV bug... but if these are something that can't easily be fixed, then going to physical boundaries might just be the best way to handle things. Mainly because the amount of money that a bad guy can make by jumping out of a VM or container

Re:

[ElizabethGreene]

"how confident can one be that hypervisors will be solid security boundaries?"

As a data point, Microsoft has a substantial bug bounty program for Hyper-V, [up to...] a quarter of a million USD for a working/well documented RCE. That's a non-trivial bet on Hypervisor security.

https://www.microsoft.com/en-u... [microsoft.com]

VoodooPS2 driver for MacOS

[meandmatt]

Its sounds fun to just try out the VoodooPS2 driver for macOS. This is used for Hackintosh machines that have a PS2 Port for use with mouse and keyboards.

End of life

[bookwormT3]

Except the "end of life" products are actually not end of life, they're on extended support.

I'm reliably informed some of that is actually still being sold licenses for.

Re:

[Cigamit]

Exactly. And it should be pointed out, that the patches were only released to the Extended support repos, not to the default repos. I know plenty of people who are still running ESXi 6.7 because they don't feel the need to throw out perfectly good hardware to upgrade to 7/8 (most have updated VCenter at least) and they didn't get these patches.

Implementation or Architecture?

[crow]

Any insight on to whether this is an implementation bug or something more fundamental from the architecture? If the latter, it's more likely to have the same issue in other hypervisors like KVM. I would assume the relevant teams are looking to see if related issues exist, but I hope those "relevant teams" aren't just on the dark side of things.

Re:

[mtm10]

Reads to me like it is a bug in VMware's implementation of the virtualized UHCI USB controller:

• CVE-2024-22253: a use-after-free vulnerability in UHCI USB controller with a maximum severity rating of 9.3 for Workstation/Fusion and a base score of 8.4 for ESXi. Exploitation requirements and outcomes are the same as for CVE-2024-22252.
• CVE-2024-22254: an out-of-bounds write vulnerability with a maximum severity base score of 7.9. This vulnerability makes it possible for someone with privileges within the

Re:

[jmccue]

Actually this only proves that what FreeBSD did with Jails is the way to go. Running an OS other than what you have installed is only useful for developers, for Cloud people you should use Jails or if you can take a slight risk, Linux docker or containers.

In an untrusted environment..

[Kelxin]

This has been a god send for years: https://www.faronics.com/produ... [faronics.com] Keep whatever folders you have data that will change unfroze (and automatically backed up). Something strange happens or just periodically reboot and it's back to how it was when you froze it.

No surprise

[sinkskinkshrieks]

Even before the Broadcom/Computer Associates' treatment, VMware Workstation, Fusion, and somewhat even ESXi teams were under-resourced and neglected in order to push cosmetic changes and new features over stability and security.

only 600 to do?

[Ubi_NL]

Did we not just get a story that Esxi was no longer available and that broadcom was happy by having only 600 customers?
I'm glad I just moved my SOHO virt platform to XCP

Every Star Trek holodeck espisode, ever.

[bazmail]

Be on the look out for evil Sherlock Holmes

the latest Patches for ESXi

[echo123]

For folks like me still running ESXi, (until I have time to migrate away), here's a handy page of one-line update commands to bring your machine up-to-date. I've still got to upgrade from version 7 to 8. The latest version 8 patch was released March 5.

https://tinkertry.com/easy-upd... [tinkertry.com]

https://customerconnect.vmware... [vmware.com] (requires VMware account login)

I'd like to download the actual installer, just to keep handy, but I haven't been able to find it since the %$#@! announcement. I hope it can still be had, (if anyone knows). The only safe way I know how to backup ESXi is using dd [dev.to], like this:

dd if=/dev/ORIGIN_DISK of=/dev/PLACE-TO-WRITE bs=64K conv=noerror,sync

dd if=/dev/sda of=/dev/sdb/diskimage.img bs=64K conv=noerror,sync