VMware Fixes Critical Flaw in ESXi Hypervisor

VMware has hurried out fixes for a critical flaw in its ESXi hypervisor, a handful of months soon after it was identified through China’s Tianfu Cup hacking level of competition.

The use-soon after-free vulnerability (CVE-2020-4004) has a CVSS score of 9.3 out of 10, creating it critical. It exists in the eXtensible Host Controller Interface (xHCI) USB controller of ESXi. XHCI is an interface specification that defines a register-amount description of a host controller for USB.

In accordance to VMware in a Thursday advisory, “a destructive actor with local administrative privileges on a digital device may perhaps exploit this issue.”

The attacker would then be able to execute code as the digital machine’s Virtual Machine Executable (VMX) course of action managing on the host, claimed VMware’s advisory. The VMX system operates in the VMkernel and is dependable for managing I/O to products that are not critical to efficiency.

Xiao Wei and Tianwen Tang (VictorV) of the Qihoo 360 Vulcan Team had been credited with identifying the flaw, which they discovered at the 2020 Tianfu Cup Pwn Contest. When further more aspects of the bug – and the exploit – were not disclosed, in accordance to the Tianfu Cup’s Twitter account, the staff “got the root of the host OS with just one shot.” The Tianfu Cup is a well known moral hacking contest that took put before in November.

360 ESG Vulnerability Exploration Institute is the only crew to operate the entry on VMware ESXi these days. @XiaoWei___ @vv474172261 acquired the root of the host OS with 1 shot. Congrats!

— TianfuCup (@TianfuCup) November 7, 2020

ESXi versions 6.5, 6.7 and 7. are affected by this critical vulnerability customers can update to versions ESXi650-202011301-SG (for edition 6.5), ESXi670-202011101-SG (for edition 6.7) and ESXi70U1b-17168206 (for edition 7.). A workaround is to take away the xHCI (USB 3.x) controller. In addition, variations of VMware Fusion (versions 11.x), Workstation (15.x) and VMware cloud foundation (ESXi, versions 3.x and 4.x) are also impacted. Patches for the VMware cloud foundation are nevertheless pending, according to the advisory.

VMware also issued patches for an important-severity elevation-of-privilege vulnerability in ESXi, also found by the Qihoo 360 Vulcan Staff during the Tiunfu Cup. That flaw (CVE-2020-4005), which scores 8.8 out of 10, exists in the way particular procedure calls are being managed.

According to VMware, a lousy actor could leverage the flaw to escalate their privileges on the afflicted system. Having said that, this bug is a lot more tough to exploit. For a person, with an attacker would need to have privileges in just the VMX process for a different, successful exploitation of this issue is only achievable when chained with a further vulnerability (such as the use-just after-absolutely free flaw).

Variations 6.5, 6.7 and 7. of ESXi are afflicted by the bugs as is VMware Cloud Foundation (ESXi, versions 3.x and 4.x). A patch is pending for the latter.

These are only the newest flaws to plague the ESXi hypervisor. In October, VMware issued an current resolve for a critical-severity distant code-execution flaw in ESXi. VMware mentioned current patch variations were offered just after it was found out the preceding patch, unveiled Oct. 20, did not fully deal with the vulnerability. That’s due to the fact particular variations that have been affected ended up not beforehand covered in the before update.