On January 04, 2022, VMware has published security fixes for its Workstation, Fusion, and ESXi products to address a heap-overflow vulnerability identified as CVE-2021-22045. Attackers on various VMware platforms can exploit a virtual CD-ROM drive to execute malicious code in the hypervisor; however, not all products have been fixed as of yet.
Users of ESXi version 7 are still waiting for a complete fix for this high-severity heap-overflow security flaw, in the meantime Cloud Foundation, Fusion, and Workstation users install the patches straight away.
The CVSS v3 base score for this vulnerability is 7.8, which is classified as “high” in severity. A heap overflow is a memory issue that can corrupt data or introduce unexpected behavior into any process accessing the affected memory area – in some cases resulting in remote code execution (RCE) and Denial of Service (DoS).
Affected Products
The vulnerability affects Windows, Linux, and Mac users throughout the virtualization specialist’s portfolio.
|
CVE Identifier |
Product |
Version |
Running On |
CVSSv3 |
Severity |
Fixed Version |
Workarounds |
|---|---|---|---|---|---|---|---|
|
CVE-2021-22045 |
ESXi |
7 |
Any |
Important |
Patch Pending |
||
|
ESXi |
6.7 |
Any |
7.7 |
Important |
ESXi670-202111101-SG |
||
|
ESXi |
6.5 |
Any |
Important |
ESXi650-202110101-SG |
|||
|
Workstation |
16.x |
Any |
Important |
16.2.0 |
|||
|
Fusion |
12.x |
OS X |
Important |
12.2.0 |
|||
|
VMware Cloud Foundation (ESXi) |
4.x |
Any |
Important |
Patch Pending |
|||
|
VMware Cloud Foundation (ESXi) |
3.x |
Any |
Important |
Patch Pending |
Knotted But Still Exploitable
The flaw allows an untrusted guest OS user to run code on the hypervisor; nevertheless, “an attacker would not have control over the data produced, making exploitation difficult.” A successful attacker can compromise the hypervisor’s host operating system.
A hypervisor is software that creates and runs virtual machines and governs how resources are shared among them (such as memory and processing). Taking control of a hypervisor can provide hackers with a direct path to any data or applications stored in the VMs it manages, as well as the ability to execute code or install files on those Virtual Machines.
ESXi: Users are High at Risk
The ESXi hypervisor is an empty hypervisor that runs on a server and splits it into several virtual machines (VMs). Considering that there isn’t a fix for ESXi users, VMware seems to be a popular target for cybercriminals and ransomware gangs.
On January 10, 2022, researchers have noticed that AvosLocker’s newer malware versions now include capabilities for encrypting Linux computers, with a target on VMware ESXi virtual machines.
Mitigations: Disable Now!
Vmware advises customers to turn down all CD-ROM/DVD drives on all running virtual machines to avoid potential exploitation —
-
Log in to a vCenter Server system using the vSphere Web Client.
-
Right-click the virtual machine and click Edit Settings.
-
Select the CD/DVD drive and uncheck “Connected” and “Connect at power on” and remove any attached ISOs.
Worried about how susceptible your organization is to a ransomware attack?
Get a Ransomware Penetration Assessment done today!
Click here to talk to us.