VMware Sandbox Escape Bugs Are So Critical, Patches Are Released For End-of-Life Products

An anonymous reader quotes a report from Ars Technica: VMware is urging customers to patch critical vulnerabilities that make it possible for hackers to break out of sandbox and hypervisor protections in all versions, including out-of-support ones, of VMware ESXi, Workstation, Fusion, and Cloud Foundation products. A constellation of four vulnerabilities -- two carrying severity ratings of 9.3 out of a possible 10 -- are serious because they undermine the fundamental purpose of the VMware products, which is to run sensitive operations inside a virtual machine that's segmented from the host machine. VMware officials said that the prospect of a hypervisor escape warranted an immediate response under the company's IT Infrastructure Library, a process usually abbreviated as ITIL.

'In ITIL terms, this situation qualifies as an emergency change, necessitating prompt action from your organization,' the officials wrote in a post. 'However, the appropriate security response varies depending on specific circumstances.' Among the specific circumstances, one concerns which vulnerable product a customer is using, and another is whether and how it may be positioned behind a firewall. A VMware advisory included the following matrix showing how the vulnerabilities -- tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255 -- affect each of the vulnerable products. Three of the vulnerabilities affect the USB controller the products use to support peripheral devices such as keyboards and mice.

Broadcom, the VMware parent company, is urging customers to patch vulnerable products. As a workaround, users can remove USB controllers from vulnerable virtual machines, but Broadcom stressed that this measure could degrade virtual console functionality and should be viewed as only a temporary solution. In an article explaining how to remove a USB controller, officials wrote: 'The workaround is to remove all USB controllers from the Virtual Machine. As a result, USB passthrough functionality will be unavailable. In addition, virtual/emulated USB devices, such as VMware virtual USB stick or dongle, will not be available for use by the virtual machine. In contrast, the default keyboard/mouse as input devices are not affected as they are, by default, not connected through USB protocol but have a driver that does software device emulation in the guest OS.

IMPORTANT:
Certain guest operating systems, including Mac OS, do not support using a PS/2 mouse and keyboard. These guest operating systems will be left without a mouse and keyboard without a USB controller.'

Read more of this story at Slashdot.