CVE-2024-22252, 22253, 22254 & 22255 VMWare sandbox escape flaws in ESXi, Workstation, and Fusion

This advisory is for organizations that use VMWare ESXi, Workstation, Fusion, and Cloud Foundation products.  If your organization does not use these VMWare products, this notification may be discarded.

Summary

VMWare has released security updates to address critical vulnerabilities in VMWare ESXi, Workstation, Fusion, and Cloud Foundation.  The vulnerability could potentially allow an attacker to chain vulnerabilities and after gaining local administrative privileges to a virtual machine, escape sandbox mitigations and execute code as the VMX process to access the underlying operating systems and/or other VMs operating on the hypervisor.

Affected Platforms

Additionally, VMware has made security fixes available for older ESXi versions (6.7U3u), 6.5 (6.5U3v), and VCF 3.x due to the vulnerabilities' severity.

Mitigations

A practical workaround to mitigate CVE-2024-22252, CVE-2024-22253, and CVE-2024-22255 is to remove USB controllers from virtual machines following the instructions provided by the vendor. Note that this may impact keyboard, mouse, and USB stick connectivity in some configurations.

Additional Resources

https://www.vmware.com/security/advisories/VMSA-2024-0006.html

https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-sandbox-escape-flaws-in-esxi-workstation-and-fusion/