VMSA-2024-0011:VMware ESXi, Workstation, Fusion and vCenter Server updates address multiple security vulnerabilities (CVE-2024-22273, CVE-2024-22274, CVE-2024-22275)
24308
23 May 2024
21 May 2024
CLOSED
HIGH
4.9-8.1
None
CVE-2024-22273, CVE-2024-22274, CVE-2024-22275
| Advisory ID: | VMSA-2024-0011.1 |
| Advisory Severity: | Important |
| CVSSv3 Range: | 4.9-8.1 |
| Synopsis: | VMware ESXi, Workstation, Fusion and vCenter Server updates address multiple security vulnerabilities (CVE-2024-22273, CVE-2024-22274, CVE-2024-22275) |
| Issue date: | 2024-05-21 |
| Issue date: | 2024-05-23 |
| CVE(s) | CVE-2024-22273, CVE-2024-22274, CVE-2024-22275 |
1. Impacted Products
- VMware ESXi
- VMware vCenter Server (vCenter Server)
- VMware Cloud Foundation (Cloud Foundation)
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion
2. Introduction
Multiple vulnerabilities in VMware ESXi, Workstation, Fusion, and vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
3a. Out-of-bounds read/write vulnerability (CVE-2024-22273)
Description:
The storage controllers on VMware ESXi, Workstation, and Fusion have out-of-bounds read/write vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.
Known Attack Vectors:
A malicious actor with access to a virtual machine with storage controllers enabled may exploit this issue to create a denial of service condition or execute code on the hypervisor from a virtual machine in conjunction with other issues.
Resolution:
To remediate CVE-2024-22273 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Hao Zheng (@zhz) and Jiaqing Huang (@s0duku) from TianGong Team of Legendsec at Qi'anxin Group for reporting this issue to us.
Notes:
[1] Workstation and Fusion versions mentioned in the response matrix are the first to address this issue but they are not the latest. Recommendation is to consume latest available versions i.e. Workstation 17.5.2 and Fusion 13.5.2. Please see VMSA-2024-0010.
Response Matrix:
| VMware Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| ESXi | 8.0 | Any | CVE-2024-22273 | 7.4 | Important | ESXi80U2sb-23305545 | None | None |
| ESXi | 7.0 | Any | CVE-2024-22273 | 7.4 | Important | ESXi70U3sq-23794019 | None | None |
| Workstation | 17.x | Any | CVE-2024-22273 | 8.1 | Important | 17.5.1 [1] | None | None |
| Fusion | 13.x | MacOS | CVE-2024-22273 | 8.1 | Important | 13.5.1 [1] | None | None |
Impacted Product Suites that Deploy Response Matrix 3a Components:
| VMware Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Cloud Foundation (ESXi) | 5.x | Any | CVE-2024-22273 | 7.4 | Important | 5.1.1 | None | KB88287 |
| Cloud Foundation (ESXi) | 4.x | Any | CVE-2024-22273 | 7.4 | Important | KB88287 | None | None |
3b. VMware vCenter Server authenticated remote-code execution vulnerability (CVE-2024-22274)
Description:
The vCenter Server contains an authenticated remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.
Known Attack Vectors:
A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to run arbitrary commands on the underlying operating system.
Resolution:
To remediate CVE-2024-22274 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgments:
VMware would like to thank Matei "Mal" Badanoiu of Deloitte Romania for reporting this issue to us.
Notes:
None.
3c. VMware vCenter Server partial file read vulnerability (CVE-2024-22275)
Description:
The vCenter Server contains a partial file read vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.9.
Known Attack Vectors:
A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to partially read arbitrary files containing sensitive data.
Resolution:
To remediate CVE-2024-22275 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Matei "Mal" Badanoiu of Deloitte Romania for reporting this issue to us.
Notes:
None.
Response Matrix:
| VMware Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| vCenter Server | 8.0 | Any | CVE-2024-22274, CVE-2024-22275 | 7.2, 4.9 | Important | 8.0 U2b | None | None |
| vCenter Server | 7.0 | Any | CVE-2024-22274, CVE-2024-22275 | 7.2, 4.9 | Important | 7.0 U3q | None | None |
Impacted Product Suites that Deploy Response Matrix 3b and 3c Components:
| VMware Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Cloud Foundation (vCenter Server) | 5.x | Any | CVE-2024-22274, CVE-2024-22275 | 7.2, 4.9 | Important | 5.1.1 | None | KB88287 |
| Cloud Foundation (vCenter Server) | 4.x | Any | CVE-2024-22274, CVE-2024-22275 | 7.2, 4.9 | Important | KB88287 | None | None |
4. References:
Fixed Version(s) and Release Notes
VMware ESXi 8.0 ESXi-8.0U2sb-23305545
Downloads and Documentation
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5236
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80u2b-release-notes/index.html
VMware ESXi 7.0 ESXi70U3sq-23794019
Downloads and Documentation
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5330
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3q-release-notes/index.html
VMware vCenter Server 8.0 U2b
Downloads and Documentation
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5239
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-vcenter-server-80u2b-release-notes/index.html
VMware vCenter Server 7.0 U3q
Downloads and Documentation
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5329
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3q-release-notes/index.html
VMware Cloud Foundation 5.1.1
Downloads and Documentation
https://docs.vmware.com/en/VMware-Cloud-Foundation/5.1.1/rn/vmware-cloud-foundation-511-release-notes/index.html
KB Articles:
VCF 5.x/4.x: https://knowledge.broadcom.com/external/article?legacyId=88287
Workstation Pro 17.5.2
Downloads and Documentation
https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware%20Workstation%20Pro
https://docs.vmware.com/en/VMware-Workstation-Pro/17.5.2/rn/vmware-workstation-1752-pro-release-notes/index.html
Fusion 13.5.2
Downloads and Documentation
https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware%20Fusion
https://docs.vmware.com/en/VMware-Fusion/13.5.2/rn/vmware-fusion-1352-release-notes/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22273
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22274
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22275
FIRST CVSSv3 Calculator:
CVE-2024-22273:
ESXi: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Workstation/Fusion: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2024-22274: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2024-22275: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
5. Change Log:
2024-05-21 VMSA-2024-0011
Initial security advisory.
2024-05-23 VMSA-2024-0011.1
Updated security advisory to clarify that all storage controllers on ESXi are impacted.
6. Contact:
E-mail: [email protected]
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2024 Broadcom All rights reserved.