VMware has hurried out fixes for a critical flaw in its ESXi hypervisor, a few weeks after it was found during China’s Tianfu Cup hacking competition.
The use-after-free vulnerability (CVE-2020-4004) has a CVSS score of 9.3 out of 10, making it critical. It exists in the eXtensible Host Controller Interface (xHCI) USB controller of ESXi. XHCI is an interface specification that defines a register-level description of a host controller for USB.
According to VMware in a Thursday advisory, “a malicious actor with local administrative privileges on a virtual machine may exploit this issue.”
The attacker would then be able to execute code as the virtual machine’s Virtual Machine Executable (VMX) process running on the host, said VMware’s advisory. The VMX process runs in the VMkernel and is responsible for handling I/O to devices that are not critical to performance.
Xiao Wei and Tianwen Tang (VictorV) of the Qihoo 360 Vulcan Team were credited with discovering the flaw, which they found at the 2020 Tianfu Cup Pwn Contest. While further details of the bug – and the exploit – were not disclosed, according to the Tianfu Cup’s Twitter account, the team “got the root of the host OS with one shot.” The Tianfu Cup is a popular ethical hacking contest that took place earlier in November.
360 ESG Vulnerability Research Institute is the only team to run the entry on VMware ESXi today. @XiaoWei___ @vv474172261 got the root of the host OS with one shot. Congrats!
— TianfuCup (@TianfuCup) November 7, 2020
ESXi versions 6.5, 6.7 and 7.0 are affected by this critical vulnerability; users can update to versions ESXi650-202011301-SG (for version 6.5), ESXi670-202011101-SG (for version 6.7) and ESXi70U1b-17168206 (for version 7.0). A workaround is to remove the xHCI (USB 3.x) controller. In addition, versions of VMware Fusion (versions 11.x), Workstation (15.x) and VMware cloud foundation (ESXi, versions 3.x and 4.x) are also affected. Patches for the VMware cloud foundation are still pending, according to the advisory.
VMware also issued patches for an important-severity elevation-of-privilege vulnerability in ESXi, also found by the Qihoo 360 Vulcan Team during the Tiunfu Cup. That flaw (CVE-2020-4005), which scores 8.8 out of 10, exists in the way certain system calls are being managed.
According to VMware, a bad actor could leverage the flaw to escalate their privileges on the affected system. However, this bug is more difficult to exploit. For one, with an attacker would need privileges within the VMX process; for another, successful exploitation of this issue is only possible when chained with another vulnerability (such as the use-after-free flaw).
Versions 6.5, 6.7 and 7.0 of ESXi are affected by the bugs; as is VMware Cloud Foundation (ESXi, versions 3.x and 4.x). A patch is pending for the latter.
These are only the latest flaws to plague the ESXi hypervisor. In October, VMware issued an updated fix for a critical-severity remote code-execution flaw in ESXi. VMware said updated patch versions were available after it was discovered the previous patch, released Oct. 20, did not completely address the vulnerability. That’s because certain versions that were affected were not previously covered in the earlier update.