Security

New VMware VMSA-2022-0004 security vulnerability Affects ESXi Workstation Pro and others

New VMware VMSA-2022-0004 security vulnerability Affects ESXi Workstation Pro and others. Yesterday, VMware released news of high-severity security vulnerabilities that affect core products across the board. The products affected include:

These include the following vulnerabilities:

  • Use-after-free vulnerability in XHCI USB controller (CVE-2021-22040)
  • Double-fetch vulnerability in UHCI IUSB controller (CVE-2021-22041)
  • ESXi settingsd unauthorized access vulnerability (CVE-2021-22042)
  • ESXi settingsd TOCTOU vulnerability (CVE-2021-22043)
  • ESXi slow HTTP POST denial of service vulnerability (CVE-2021-22050)

The relevant CVEs are the following:

  • CVE-2021-22040
  • CVE-2021-22041
  • CVE-2021-22042
  • CVE-2021-22043
  • CVE-2021-22050

New VMware VMSA-2022-0004 security vulnerability Affects ESXi Workstation Pro and others

An attacker with local administrator rights on a virtual machine running in a vulnerable environment can potentially execute code as the virtual machine’s VMX process running on the host. So with the right set of circumstances, this is a very serious set of vulnerabilities that can lead to compromised environments. In and of themselves, the vulnerabilities are important to moderate. However, it is the cumulative nature of the vulnerabilities that can result in higher severity compromise.

Use-after-free vulnerability in XHCI USB controller (CVE-2021-22040)

This vulnerability affects VMware ESXi, VMware Workstation, VMware Fusion. It involves a use-after-free vulnerability in the XHCI USB controller. The score of this individual vulnerability is 8.4. This vulnerability is remediated in the fixed version of the affected products. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.

VMware ESXi virtual machine with USB controller
VMware ESXi virtual machine with USB controller

Double-fetch vulnerability in UHCI IUSB controller (CVE-2021-22041)

This vulnerability affects VMware ESXi, VMware Workstation, VMware Fusion. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. Again this is fixed in the fixed version of the respective VMware solution.
As a note successful exploitation of this issue requires an isochronous USB endpoint to be made available to the virtual machine.

ESXi settingsd unauthorized access vulnerability (CVE-2021-22042)

This vulnerability affects VMware ESXi and contains an unauthorized access vulnerability due to VMX having access to settingsd authorization tickets. If a malicious actor has privileges within the VMX process can access settingsd service running as a high privileged users. The fix for this is to install the fixed version.

ESXi settingsd TOCTOU vulnerability (CVE-2021-22043)

VMware ESXi has another vulnerability known as the TOCTOU (Time-of-check Time-of-use) vulnerability. This vulnerability affects the way temporary files are accessed. To fix, apply the fixed version of VMware ESXi.

ESXi slow HTTP POST denial of service vulnerability (CVE-2021-22050)

This vulnerability is found in VMware ESXi and is known as a slow HTTP POST denial of service (DOS) vulnerability affecting rhttpproxy. An attacker can use this vulnerability to launch a DOS attack that overwhelms the rhttpproxy service with multiple requests.

How were these discovered?

These issues were discovered as part of the Tianfu Cup, a Chinese hacking event. VMware worked with the organizers of this event to review the findings and receive the information privately.

Is there a workaround to the issue as of yet?

In accord with best practices, VMware recommends getting a patched version of affected products installed as soon as possible. However, there is a bit of a workaround that involves identifying virtual machines with a USB controller installed. To do that, you can identify these with a PowerCLI script as follows:

$VMs = Get-VM

$USBHardware = "VirtualUSBController|VirtualUSBXHCIController"
foreach ($VM in $VMs) {
    $VMview = Get-VM $VM | Get-View

    $VMview.Config.Hardware.Device | Where-Object {$_.GetType().Name -match $USBHardware} | Foreach-Object {
        $devname = $_.GetType().Name
        Write-Host "$VM`: VM has a $devname device." -ForegroundColor Yellow
    }
}

To remove the USB controllers from affected virtual machines, you can use the following PowerCLI code. As a note, a hindrance to having this completely automated is the virtual machines need to be powered off before you can remove the USB controller.

$VMs = Get-VM $vmname

$USBHardware = "VirtualUSBController|VirtualUSBXHCIController"

foreach ($VM in $VMs) {
    $VMview = Get-VM $VM | Get-View
    $VMview.Config.Hardware.Device | Where-Object {$_.GetType().Name -match $USBHardware} | Foreach-Object {
        $devname = $_.GetType().Name
        Write-Host "$VM`: Removing the $devname device." -ForegroundColor Yellow
        $Config = New-Object VMware.Vim.VirtualMachineConfigSpec
        $Config.DeviceChange = New-Object VMware.Vim.VirtualDeviceConfigSpec
        $Config.DeviceChange[0] = New-Object VMware.Vim.VirtualDeviceConfigSpec
        $Config.DeviceChange[0].Operation = "remove"
        $Config.DeviceChange[0].Device = $_
        # $VM.ExtensionData.ReconfigVM($Config)
    }
}

On another note, if you are running snapshots in your environment, you will need to keep this in mind as removing the USB controller from a virtual machine. The reason for this is that snapshots contain virtual hardware as part of the VM state. Restoring a snapshot on a virtual machine will bring back the removed USB controller.

Response Matrices and fixed versions

The following response matrix is in regards to the following two of the CVEs of the New VMware VMSA-2022-0004 security vulnerability:

  • Use-after-free vulnerability in XHCI USB controller (CVE-2021-22040)
  • Double-fetch vulnerability in UHCI IUSB controller (CVE-2021-22041)
ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
ESXi7.0 U3AnyCVE-2021-22040, CVE-2021-220418.4Important ESXi70U3c-19193900KB87349FAQ
ESXi7.0 U2AnyCVE-2021-22040, CVE-2021-220418.4Important ESXi70U2e-19290878KB87349FAQ
ESXi7.0 U1AnyCVE-2021-22040, CVE-2021-220418.4Important ESXi70U1e-19324898KB87349FAQ
ESXi6.7AnyCVE-2021-22040, CVE-2021-220418.4Important [1] ESXi670-202111101-SGKB87349FAQ
ESXi6.5AnyCVE-2021-22040, CVE-2021-220418.4Important ESXi650-202202401-SGKB87349FAQ
Fusion12.xOS XCVE-2021-22040, CVE-2021-220418.4Important 12.2.1KB87349FAQ
Workstation16.xAnyCVE-2021-22040, CVE-2021-220418.4Important 16.2.1KB87349FAQ

Impacted Product Suites that Deploy Response Matrix of affected products:

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
Cloud Foundation (ESXi)4.xAnyCVE-2021-22040, CVE-2021-220418.4Important KB87646 (4.4)KB87349FAQ
Cloud Foundation (ESXi)3.xAnyCVE-2021-22040, CVE-2021-220418.4Important 3.11KB87349FAQ

The following response matrix is in regards to the following two of the CVEs in the New VMware VMSA-2022-0004 security vulnerability:

  • ESXi settingsd unauthorized access vulnerability (CVE-2021-22042)
  • ESXi settingsd TOCTOU vulnerability (CVE-2021-22043)
ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
ESXi7.0 U3AnyCVE-2021-22042, CVE-2021-220438.2Important ESXi70U3c-19193900NoneFAQ
ESXi7.0 U2AnyCVE-2021-22042, CVE-2021-220438.2Important ESXi70U2e-19290878NoneFAQ
ESXi7.0 U1AnyCVE-2021-22042, CVE-2021-220438.2Important ESXi70U1e-19324898NoneFAQ
ESXi6.7AnyCVE-2021-22042, CVE-2021-22043N/AN/AUnaffectedN/AN/A
ESXi6.5AnyCVE-2021-22042, CVE-2021-22043N/AN/AUnaffectedN/AN/A

Impacted Product Suites that Deploy the affected products

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
Cloud Foundation (ESXi)4.xAnyCVE-2021-22042, CVE-2021-220438.2Important KB87646 (4.4)NoneFAQ
Cloud Foundation (ESXi)3.xAnyCVE-2021-22042, CVE-2021-22043N/AN/AUnaffectedN/AN/A

The following response matrix is in regards to the following two of the CVEs in the New VMware VMSA-2022-0004 security vulnerability:

  • ESXi slow HTTP POST denial of service vulnerability (CVE-2021-22050)
ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
ESXi7.0AnyCVE-2021-220505.3Moderate ESXi70U3c-19193900NoneFAQ
ESXi6.7AnyCVE-2021-220505.3Moderate [1] ESXi670-202111101-SGNoneFAQ
ESXi6.5AnyCVE-2021-220505.3Moderate ESXi650-202110101-SGNoneFAQ

Impacted Product Suites that Deploy Response Matrix 3e Components:

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
Cloud Foundation (ESXi)4.xAnyCVE-2021-220505.3Moderate KB87646 (4.4)NoneFAQ
Cloud Foundation (ESXi)3.xAnyCVE-2021-220505.3Moderate 3.11NoneFAQ

Take note of the following resources:

Concluding Notes

As bad as we hate to see new security vulnerabilities come down the pipes, it is better to find them this way than after the fact and the attackers have the upper hand. Kudos to VMware for getting this New VMware VMSA-2022-0004 security vulnerability disclosed and patched in a timely manner.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.