VMware Fixes Critical Flaw in ESXi Hypervisor

  • The critical and crucial-severity flaws had been identified by a crew at the China-primarily based Tiunfu Cup hacking obstacle.

    VMware has hurried out fixes for a critical flaw in its ESXi hypervisor, a several months soon after it was found for the duration of China’s Tianfu Cup hacking opposition.

    The use-after-free vulnerability (CVE-2020-4004) has a CVSS rating of 9.3 out of 10, earning it critical. It exists in the eXtensible Host Controller Interface (xHCI) USB controller of ESXi. XHCI is an interface specification that defines a sign-up-degree description of a host controller for USB.

    According to VMware in a Thursday advisory, “a destructive actor with community administrative privileges on a virtual device could exploit this issue.”

    The attacker would then be in a position to execute code as the digital machine’s Virtual Equipment Executable (VMX) approach functioning on the host, mentioned VMware’s advisory. The VMX course of action runs in the VMkernel and is dependable for managing I/O to products that are not critical to functionality.

    Xiao Wei and Tianwen Tang (VictorV) of the Qihoo 360 Vulcan Group were credited with exploring the flaw, which they discovered at the 2020 Tianfu Cup Pwn Contest. When further more aspects of the bug – and the exploit – were being not disclosed, in accordance to the Tianfu Cup’s Twitter account, the crew “got the root of the host OS with a person shot.” The Tianfu Cup is a popular moral hacking contest that took position earlier in November.

    360 ESG Vulnerability Investigation Institute is the only staff to run the entry on VMware ESXi these days. @XiaoWei___ @vv474172261 bought the root of the host OS with one particular shot. Congrats!

    — TianfuCup (@TianfuCup) November 7, 2020

    ESXi variations 6.5, 6.7 and 7. are affected by this critical vulnerability end users can update to versions ESXi650-202011301-SG (for edition 6.5), ESXi670-202011101-SG (for edition 6.7) and ESXi70U1b-17168206 (for variation 7.). A workaround is to remove the xHCI (USB 3.x) controller. In addition, versions of VMware Fusion (variations 11.x), Workstation (15.x) and VMware cloud basis (ESXi, variations 3.x and 4.x) are also affected. Patches for the VMware cloud foundation are nevertheless pending, according to the advisory.

    VMware also issued patches for an significant-severity elevation-of-privilege vulnerability in ESXi, also uncovered by the Qihoo 360 Vulcan Group throughout the Tiunfu Cup. That flaw (CVE-2020-4005), which scores 8.8 out of 10, exists in the way selected technique calls are staying managed.

    In accordance to VMware, a negative actor could leverage the flaw to escalate their privileges on the affected system. Nonetheless, this bug is a lot more complicated to exploit. For a single, with an attacker would will need privileges inside the VMX approach for an additional, profitable exploitation of this issue is only achievable when chained with yet another vulnerability (these types of as the use-soon after-free of charge flaw).

    Versions 6.5, 6.7 and 7. of ESXi are affected by the bugs as is VMware Cloud Foundation (ESXi, versions 3.x and 4.x). A patch is pending for the latter.

    These are only the hottest flaws to plague the ESXi hypervisor. In October, VMware issued an up-to-date repair for a critical-severity remote code-execution flaw in ESXi. VMware said up-to-date patch versions have been out there following it was identified the past patch, unveiled Oct. 20, did not fully tackle the vulnerability. That’s mainly because specific versions that were affected have been not formerly protected in the before update.