VMware’s VMSA-2022-0004 | Runecast Analyzer

On the 15th of February, VMware announced VMSA 2022-0004, which covers multiple CVEs. CVEs like this provide definitions for publicly disclosed cybersecurity vulnerabilities and exposures, and this VMSA provides VMware’s resolution information. Most of these CVEs were discovered at the Tianfu Cup, a multi day event where hackers attempt to find and exploit vulnerabilities over a very short period of time. 

While VMware have marked the individual CVEs as Important or Moderate in their severity scoring, the combination of issues may result in a higher severity, so the entire VMSA has been given a severity level of Critical. 

In response to this VMSA, our Runecast development team deployed the fix today, the 16th of February, continuing our record of reacting and implementing the solution to each and every VMSA within 24 hours for our customers. The fix is now available in the latest Runecast definitions release, version 6.0.6.2, which is available for download. Customers with automatic updates enabled will receive the new definitions during the next update cycle, with offline updates available, as always, through the Runecast customer portal.

Below is the technical information about the CVE and VMware’s response. We include these to keep you up to date with what Runecast Analyzer covers, but if you have any questions at all please don’t hesitate to contact us and we will discuss it with you.

Use-after-free vulnerability in XHCI USB controller (CVE-2021-22040)

A use-after-free vulnerability has been discovered in VMware Workstation, Fusion and ESXi, in the XHCI USB controller. VMware has classed this vulnerability as Important.

The risk is that a malicious actor with local admin privileges on a virtual machine could use this to execute code as the virtual machines’ VMX process on the host.

• The vulnerability affects the following products: ESXi versions 6.5, 6.7 and 7.0 (Updates 1, 2 & 3), Workstation 16.x and Fusion 12.x.
• In addition to these the VMware Cloud Foundation (ESXi) versions 3.x and 4.x are affected. 
  

Workarounds and patches have been provided for all the affected products. 

Double-fetch vulnerability in UHCI USB controller (CVE-2021-22041)

Another vulnerability (a double-fetch vulnerability) has been discovered in a USB controller, this time the UHCI USB controller. VMware has classed this vulnerability as Important.

There is a similar risk to the vulnerability above, in that a malicious actor with local admin privileges on a virtual machine could use this to execute code as the virtual machines’ VMX process on the host.

• The vulnerability affects the following products: ESXi versions 6.5, 6.7 and 7.0 (Updates 1, 2 & 3), Workstation 16.x and Fusion 12.x.
• In addition to these the VMware Cloud Foundation (ESXi) versions 3.x and 4.x are affected. 
  

Workarounds and patches have been provided for all the affected products. 

ESXi settingsd unauthorized access vulnerability (CVE-2021-22042)

No, that’s not a typo. There is a settingsd vulnerability in ESXi. This vulnerability is due to VMX having access to settingsd authorization tickets. VMware has classed this vulnerability as Important.

The risk is that a malicious actor with only VMX process access may be able to access the settingsd service running as a high-privileged user.

• The vulnerability affects the following products: ESXi versions 6.5, 6.7 and 7.0 (Updates 1, 2 & 3)
• In addition to these the VMware Cloud Foundation (ESXi) versions 3.x and 4.x are affected. 
  

Patches have been released for all affected products, however there are no workarounds.

ESXi settingsd TOCTOU vulnerability (CVE-2021-22043)

Another vulnerability in settingsd was also found, this one a TOCTOU vulnerability. TOCTOU stands for Time-of-check Time-of-use and using this a malicious actor with access to settingsd could exploit this vulnerability to escalate their privileges by writing arbitrary files. VMware has classed this vulnerability as Important.

• The vulnerability affects the following products: ESXi versions 6.5, 6.7 and 7.0 (Updates 1, 2 & 3)
• In addition to these the VMware Cloud Foundation (ESXi) versions 3.x and 4.x are affected. 
  

Patches have been released for all affected products, however there are no workarounds.

ESXi slow HTTP POST denial of service vulnerability (CVE-2021-22050)

The last vulnerability in this list is one that appears not to have been discovered as part of the Tianfu Cup, but by external pen testers and SolidLabLLC. This vulnerability applies to ESXi which has been found to have a slow HTTP POST denial-of-service vulnerability in rhttpproxy. VMware has classed this vulnerability as Moderate.

Using this vulnerability a malicious actor with network access to the affected ESXi could create a denial of service condition by overwhelming the rhttpproxy service. 

• The vulnerability affects the following products: ESXi versions 6.5, 6.7 and 7.0 (Updates 1, 2 & 3)
• In addition to these the VMware Cloud Foundation (ESXi) versions 3.x and 4.x are affected. 
  

Patches have been released for all affected products, however there are no workarounds.

See recent CVEs that Runecast has covered

• Runecast responds to Apache Log4j Java vulnerability
• VMWare VMSA-2022-001 Covered by Runecast
• VMware VMSA-2021-0027 Explained & Covered
  

Runecast enables IT Security and Operations teams with simpler, proactive approaches to ITOM and CSPM, in a single platform. With Runecast you mitigate risk, increase efficiency, reduce costs and ensure mission-critical stability – for VMware, AWS, Kubernetes, Azure, and now with OS-level coverage.