Overview
Broadcom has issued a security advisory addressing three critical zero-day vulnerabilities in multiple VMware products, including VMware ESXi, Workstation, and Fusion. The Microsoft Threat Intelligence Center (MSTIC) discovered these vulnerabilities and found them exploited in the wild. Organizations using the affected VMware products are strongly advised to apply the available patches immediately to mitigate the risks associated with these flaws.
Details of the Vulnerabilities
The identified vulnerabilities, tracked as CVE-2024-22224, CVE-2024-22225, and CVE-2024-22226, could allow attackers with administrative privileges to execute malicious code, escape sandbox environments, and leak sensitive information from memory. The severity of these vulnerabilities ranges from 7.1 to 9.3 on the CVSSv3 scale, making them critical concerns for organizations relying on VMware infrastructure.
1. CVE-2024-22224: VMware ESXi and Workstation Heap-Overflow Vulnerability
- Severity: Critical (CVSSv3 Score: 9.3)
- Description: This vulnerability is caused by a Time-of-Check Time-of-Use (TOCTOU) flaw in VMware ESXi and Workstation. It results in an out-of-bounds write, which an attacker with local administrative privileges can exploit to execute arbitrary code within the virtual machine’s executable (VMX) process on the host system.
- Impact: Exploitation can lead to full control over the VMX process, potentially allowing attackers to compromise the host machine.
- Mitigation: Organizations should apply the patches listed in the “Fixed Versions” section below.
- Workarounds: None available.
2. CVE-2024-22225: VMware ESXi Arbitrary Write Vulnerability
- Severity: Important (CVSSv3 Score: 8.2)
- Description: This vulnerability exists in VMware ESXi and allows attackers with necessary privileges to exploit the VMX process, resulting in arbitrary kernel writes. This can be used to escape the sandbox and execute malicious code on the host machine.
- Impact: Attackers may gain unauthorized access to critical system components and compromise virtualized environments.
- Mitigation: Organizations should apply the patches immediately.
- Workarounds: None available.
- Additional Resources: VMware has provided an FAQ document for further details on this vulnerability.
3. CVE-2024-22226: VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability
- Severity: Important (CVSSv3 Score: 7.1)
- Description: This vulnerability stems from an out-of-bounds read in HGFS (Host Guest File System), which allows attackers with administrative privileges to leak memory contents from the VMX process.
- Impact: Potential data leaks that can be leveraged for further exploitation or privilege escalation.
- Mitigation: Apply the recommended patches as listed below.
- Workarounds: None available.
Broadcom has confirmed that these vulnerabilities have been exploited in real-world attacks. However, no technical details or proof-of-concept (PoC) exploits have been publicly disclosed. Organizations should assume active exploitation and prioritize patching accordingly.
Recommended Solutions and Patch Details
VMware has released security patches for affected products. Organizations should update to the fixed versions listed below:
| Affected Product | CVE(s) | Fixed Version |
| VMware ESXi 8.0 | CVE-2024-22224, CVE-2024-22225, CVE-2024-22226 | ESXi80U3d-24585383, ESXi80U2d-24585300 |
| VMware ESXi 7.0 | CVE-2024-22224, CVE-2024-22225, CVE-2024-22226 | ESXi70U3s-24585291 |
| VMware ESXi 6.7 | CVE-2024-22224, CVE-2024-22225, CVE-2024-22226 | ESXi670-202403001 |
| VMware Workstation 17.x | CVE-2024-22224, CVE-2024-22226 | 17.6.3 |
| VMware Fusion 13.x | CVE-2024-22226 | 13.6.3 |
Additionally, VMware Cloud Foundation and VMware Telco Cloud Platform are affected. An asynchronous patch is available for VMware Cloud Foundation, while Telco Cloud Platform customers should update to a fixed ESXi version. Broadcom’s advisory provides further details.
Steps for Organizations
To minimize risks associated with these vulnerabilities, organizations should take the following actions:
- Apply Patches Immediately: Update affected VMware products to the latest fixed versions.
- Monitor Security Advisories: Regularly check VMware’s official advisories for updates.
- Implement Network Segmentation: Restrict access to administrative interfaces of virtual machines to reduce potential attack vectors.
- Enable Logging and Monitoring: Increase visibility into system activity to detect potential exploitation attempts.
- Review Security Policies: Ensure virtualized environments follow best security practices, including the principle of least privilege.
Conclusion
The discovery of these zero-day vulnerabilities in VMware ESXi, Workstation, and Fusion emphasizes the need for timely patching and proactive security measures. Since these flaws are being actively exploited in the wild, organizations should prioritize updates and strengthen their security posture.
Following VMware’s guidance and adopting cybersecurity practices will help mitigate potential risks associated with these vulnerabilities.
