Unpatched severe vulnerability with CVVS score of 7.7 in VMware’s Cloud Foundation, ESXi, Fusion and Workstation platforms

Cybersecurity specialists report the detection of a critical vulnerability in some VMware products, including Cloud Foundation, Fusion and Workstation. According to the report, the successful exploitation of these flaws would allow threat actors to take control of hypervisors in virtual environments, putting millions of Windows, Mac and Linux users at risk.

Cloud Foundation is VMware’s multi-cloud management platform, while ESXi is a bare-metal hypervisor that installs on a server and splits it into multiple virtual machines and Fusion is a software hypervisor that allows Intel-based Mac computers to run virtual machines with guest operating systems.

Tracked as CVE-2021-22045, it is a high-severity stack overflow vulnerability that received a score of 7.7/10 according to the Common Vulnerability Scoring System (CVSS). As you may recall, a buffer overflow is a bug that can cause memory corruption on affected systems, even leading to remote code execution (RCE) cases.

This specific error exists specifically in the CD-ROM device emulation feature of the affected products. According to the report, threat actors with access to a virtual machine with CD-ROM emulation can exploit this flaw along with other problems running code on the hypervisor from a virtual machine.

Reno Robert of Trend Micro notes that while the bug allows an untrusted guest operating system user to execute code on the hypervisor, exploitation would not allow attackers to take control of the data in the system due to exploit difficulty. The expert adds that other variants of the problem could lead to the leakage of confidential information.

A successful attack would allow threat actors to compromise the hypervisor’s host operating system. This single action could give malicious hackers a clear path to access any information stored in virtual machines, as well as control and execute files in these vulnerable deployments.

While the flaw does not have security patches, some temporary mitigations are known, which must be installed by administrators of vulnerable deployments.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.