Critical
VMSA-2022-0004
5.3-8.4
2022-02-15
2022-02-15 (Initial Advisory)
CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050
VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities (CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050)
1. Impacted Products
- VMware ESXi
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- VMware Cloud Foundation (Cloud Foundation)
2. Introduction
Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
The individual vulnerabilities documented on this VMSA have severity Important/Moderate but combining these issues may result in higher severity, hence the severity of this VMSA is at severity level Critical.
3a. Use-after-free vulnerability in XHCI USB controller (CVE-2021-22040)
Description
VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller.VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.4.
Known Attack Vectors
A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.
Resolution
To remediate CVE-2021-22040 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
Workarounds
Workarounds for CVE-2021-22040 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0004-qna.
Notes
[1] VMware recommends taking ESXi670-202201001 released on January 25, 2022 over ESXi670-202111101-SG released on November 23, 2021 since ESXi670-202201001 also resolves non-security related issues (documented in https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202201001.html).
Acknowledgements
VMware would like to thank Wei of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us.
3b. Double-fetch vulnerability in UHCI USB controller (CVE-2021-22041)
Description
VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.4.
Known Attack Vectors
A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.
Resolution
To remediate CVE-2021-22041 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
Workarounds
Workarounds for CVE-2021-22041 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0004-qna.
Notes
Successful exploitation of this issue requires an isochronous USB endpoint to be made available to the virtual machine.
[1] VMware recommends taking ESXi670-202201001 released on January 25, 2022 over ESXi670-202111101-SG released on November 23, 2021 since ESXi670-202201001 also resolves non-security related issues (documented in https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202201001.html).
Acknowledgements
VMware would like to thank VictorV of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us.
Response Matrix: – 3a & 3b
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation | 
| 
          ESXi
          | 
          7.0 U3
          | 
          Any
          | 
          CVE-2021-22040, CVE-2021-22041
          | 
           important
           
 | ||||
| 
          ESXi
          | 
          7.0 U2
          | 
          Any
          | 
          CVE-2021-22040, CVE-2021-22041
          | 
           important
           
 | ||||
| 
          ESXi
          | 
          7.0 U1
          | 
          Any
          | 
          CVE-2021-22040, CVE-2021-22041
          | 
           important
           
 | ||||
| 
          ESXi
          | 
          6.7
          | 
          Any
          | 
          CVE-2021-22040, CVE-2021-22041
          | 
           important
           
 | ||||
| 
          ESXi
          | 
          6.5
          | 
          Any
          | 
          CVE-2021-22040, CVE-2021-22041
          | 
           important
           
 | ||||
| 
          Fusion
          | 
          12.x
          | 
          OS X
          | 
          CVE-2021-22040, CVE-2021-22041
          | 
           important
           
 | ||||
| 
          Workstation
          | 
          16.x
          | 
          Any
          | 
          CVE-2021-22040, CVE-2021-22041
          | 
           important
           
 | 
Impacted Product Suites that Deploy Response Matrix 3a & 3b Components:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation | 
| 
          Cloud Foundation (ESXi)
          | 
          4.x
          | 
          Any
          | 
          CVE-2021-22040, CVE-2021-22041
          | 
           important
           
 | ||||
| 
          Cloud Foundation (ESXi)
          | 
          3.x
          | 
          Any
          | 
          CVE-2021-22040, CVE-2021-22041
          | 
           important
           
 | 
3c. ESXi settingsd unauthorized access vulnerability (CVE-2021-22042)
Description
VMware ESXi contains an unauthorized access vulnerability due to VMX having access to settingsd authorization tickets. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.
Known Attack Vectors
A malicious actor with privileges within the VMX process only, may be able to access settingsd service running as a high privileged user.
Resolution
To remediate CVE-2021-22042 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
Workarounds
None.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0004-qna.
Notes
None.
Acknowledgements
VMware would like to thank Wei of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us.
3d. ESXi settingsd TOCTOU vulnerability (CVE-2021-22043)
Description
VMware ESXi contains a TOCTOU (Time-of-check Time-of-use) vulnerability that exists in the way temporary files are handled. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.
Known Attack Vectors
A malicious actor with access to settingsd, may exploit this issue to escalate their privileges by writing arbitrary files.
Resolution
To remediate CVE-2021-22043 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
Workarounds
None.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0004-qna.
Notes
None.
Acknowledgements
VMware would like to thank Wei of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us.
Response Matrix: – 3c & 3d
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation | 
| 
          ESXi
          | 
          7.0 U3
          | 
          Any
          | 
          CVE-2021-22042, CVE-2021-22043
          | 
           important
           
 | 
          None
          | |||
| 
          ESXi
          | 
          7.0 U2
          | 
          Any
          | 
          CVE-2021-22042, CVE-2021-22043
          | 
           important
           
 | 
          None
          | |||
| 
          ESXi
          | 
          7.0 U1
          | 
          Any
          | 
          CVE-2021-22042, CVE-2021-22043
          | 
           important
           
 | 
          None
          | |||
| 
          ESXi
          | 
          6.7
          | 
          Any
          | 
          CVE-2021-22042, CVE-2021-22043
          | 
          N/A
          | 
           N/A
           | 
          Unaffected
          | 
          N/A
          | 
          N/A
          | 
| 
          ESXi
          | 
          6.5
          | 
          Any
          | 
          CVE-2021-22042, CVE-2021-22043
          | 
          N/A
          | 
           N/A
           | 
          Unaffected
          | 
          N/A
          | 
          N/A
          | 
Impacted Product Suites that Deploy Response Matrix 3c & 3d Components:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation | 
| 
          Cloud Foundation (ESXi)
          | 
          4.x
          | 
          Any
          | 
          CVE-2021-22042, CVE-2021-22043
          | 
           important
           
 | 
          None
          | |||
| 
          Cloud Foundation (ESXi)
          | 
          3.x
          | 
          Any
          | 
          CVE-2021-22042, CVE-2021-22043
          | 
          N/A
          | 
           N/A
           | 
          Unaffected
          | 
          N/A
          | 
          N/A
          | 
3e. ESXi slow HTTP POST denial of service vulnerability (CVE-2021-22050)
Description
ESXi contains a slow HTTP POST denial-of-service vulnerability in rhttpproxy. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
Known Attack Vectors
A malicious actor with network access to ESXi may exploit this issue to create a denial-of-service condition by overwhelming rhttpproxy service with multiple requests.
Resolution
To remediate CVE-2021-22050 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
Workarounds
None.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0004-qna.
Notes
[1] VMware recommends taking ESXi670-202201001 released on January 25, 2022 over ESXi670-202111101-SG released on November 23, 2021 since ESXi670-202201001 also resolves non-security related issues (documented in https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202201001.html).
Acknowledgements
VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation | 
| 
          ESXi
          | 
          7.0
          | 
          Any
          | 
          CVE-2021-22050
          | 
           moderate
           
 | 
          None
          | |||
| 
          ESXi
          | 
          6.7
          | 
          Any
          | 
          CVE-2021-22050
          | 
           moderate
           
 | 
          None
          | |||
| 
          ESXi
          | 
          6.5
          | 
          Any
          | 
          CVE-2021-22050
          | 
           moderate
           
 | 
          None
          | 
Impacted Product Suites that Deploy Response Matrix 3e Components:
4. References
VMware ESXi 7.0 ESXi70U3c-19193900
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3c-release-notes.html
VMware ESXi 7.0 ESXi70U2e-19290878
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u2e-release-notes.html
VMware ESXi 7.0 ESXi70U1e-19324898
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1e.html
VMware ESXi 6.7 ESXi670-202111101-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202111001.html
VMware ESXi 6.5 ESXi650-202202401-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202202001.html
VMware ESXi 6.5 ESXi650-202110101-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202110001.html
VMware Cloud Foundation 4.4
 Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.4/rn/VMware-Cloud-Foundation-44-Release-Notes.html
VMware Cloud Foundation 3.11
 Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.11/rn/VMware-Cloud-Foundation-311-Release-Notes.html
VMware Workstation Player 16.2.1
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html
VMware Fusion 12.2.1
 Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22040
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22041
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22043
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22050
FIRST CVSSv3 Calculator:
 CVE-2021-22040: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 CVE-2021-22041: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 CVE-2021-22042: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
 CVE-2021-22043: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
 CVE-2021-22050: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5. Change Log
2022-02-15 VMSA-2022-0004
 Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2022 VMware Inc. All rights reserved.
  
Read full article (vmware.com)
All content and images belong to their respected owners, this article is for informational purposes only.
