VMSA-2022-0004 Explained & Covered

On the 15th of February, VMware announced VMSA 2022-0004, which covers multiple CVEs. CVEs like this provide definitions for publicly disclosed cybersecurity vulnerabilities and exposures, and this VMSA provides VMware’s resolution information. Most of these CVEs were discovered at the Tianfu Cup, a multi day event where hackers attempt to find and exploit vulnerabilities over a very short period of time. 

While VMware have marked the individual CVEs as Important or Moderate in their severity scoring, the combination of issues may result in a higher severity, so the entire VMSA has been given a severity level of Critical. 

In response to this VMSA, our Runecast development team deployed the fix today, the 16th of February, continuing our record of reacting and implementing the solution to each and every VMSA within 24 hours for our customers. The fix is now available in the latest Runecast definitions release, version 6.0.6.2, which is available for download. Customers with automatic updates enabled will receive the new definitions during the next update cycle, with offline updates available, as always, through the Runecast customer portal.

Below is the technical information about the CVE and VMware’s response. We include these to keep you up to date with what Runecast Analyzer covers, but if you have any questions at all please don’t hesitate to contact us and we will discuss it with you.

Use-after-free vulnerability in XHCI USB controller (CVE-2021-22040)

A use-after-free vulnerability has been discovered in VMware Workstation, Fusion and ESXi, in the XHCI USB controller. VMware has classed this vulnerability as Important.

The risk is that a malicious actor with local admin privileges on a virtual machine could use this to execute code as the virtual machines’ VMX process on the host.

  • The vulnerability affects the following products: ESXi versions 6.5, 6.7 and 7.0 (Updates 1, 2 & 3), Workstation 16.x and Fusion 12.x.
  • In addition to these the VMware Cloud Foundation (ESXi) versions 3.x and 4.x are affected. 

Workarounds and patches have been provided for all the affected products. 

Double-fetch vulnerability in UHCI USB controller (CVE-2021-22041)

Another vulnerability (a double-fetch vulnerability) has been discovered in a USB controller, this time the UHCI USB controller. VMware has classed this vulnerability as Important.

There is a similar risk to the vulnerability above, in that a malicious actor with local admin privileges on a virtual machine could use this to execute code as the virtual machines’ VMX process on the host.

  • The vulnerability affects the following products: ESXi versions 6.5, 6.7 and 7.0 (Updates 1, 2 & 3), Workstation 16.x and Fusion 12.x.
  • In addition to these the VMware Cloud Foundation (ESXi) versions 3.x and 4.x are affected. 

Workarounds and patches have been provided for all the affected products. 

ESXi settingsd unauthorized access vulnerability (CVE-2021-22042)

No, that’s not a typo. There is a settingsd vulnerability in ESXi. This vulnerability is due to VMX having access to settingsd authorization tickets. VMware has classed this vulnerability as Important.

The risk is that a malicious actor with only VMX process access may be able to access the settingsd service running as a high-privileged user.

  • The vulnerability affects the following products: ESXi versions 6.5, 6.7 and 7.0 (Updates 1, 2 & 3)
  • In addition to these the VMware Cloud Foundation (ESXi) versions 3.x and 4.x are affected. 

Patches have been released for all affected products, however there are no workarounds.


ESXi settingsd TOCTOU vulnerability (CVE-2021-22043)

Another vulnerability in settingsd was also found, this one a TOCTOU vulnerability. TOCTOU stands for Time-of-check Time-of-use and using this a malicious actor with access to settingsd could exploit this vulnerability to escalate their privileges by writing arbitrary files. VMware has classed this vulnerability as Important.

  • The vulnerability affects the following products: ESXi versions 6.5, 6.7 and 7.0 (Updates 1, 2 & 3)
  • In addition to these the VMware Cloud Foundation (ESXi) versions 3.x and 4.x are affected. 

Patches have been released for all affected products, however there are no workarounds.

ESXi slow HTTP POST denial of service vulnerability (CVE-2021-22050)

The last vulnerability in this list is one that appears not to have been discovered as part of the Tianfu Cup, but by external pen testers and SolidLabLLC. This vulnerability applies to ESXi which has been found to have a slow HTTP POST denial-of-service vulnerability in rhttpproxy. VMware has classed this vulnerability as Moderate.

Using this vulnerability a malicious actor with network access to the affected ESXi could create a denial of service condition by overwhelming the rhttpproxy service. 

  • The vulnerability affects the following products: ESXi versions 6.5, 6.7 and 7.0 (Updates 1, 2 & 3)
  • In addition to these the VMware Cloud Foundation (ESXi) versions 3.x and 4.x are affected. 

Patches have been released for all affected products, however there are no workarounds.

See recent CVEs that Runecast has covered

Runecast enables IT Security and Operations teams with simpler, proactive approaches to ITOM and CSPM, in a single platform. With Runecast you mitigate risk, increase efficiency, reduce costs and ensure mission-critical stability – for VMware, AWS, Kubernetes, Azure, and now with OS-level coverage.


Request a Free Trial

Try Runecast or contact us to discuss transitioning to a proactive approach in your IT environment.

Contact Us
About the Author | Daniel Jones

Daniel Jones is the Technical Content Writer for Runecast. Daniel has 10 years experience working IT Operations and Infrastructure/Network admin before transitioning to Process Improvement and documentation. Working and writing for Runecast means he can combine his interest in tech with his love of the written word.

When Daniel is not working he can be found writing stories and songs, chasing around after his family and pining for the seaside.