Virus Removal Guides

A VMware bug could result in a hypervisor takeover

VMWare’s Cloud Foundation, ESXi, Fusion, and Workstation platforms are vulnerable to a security flaw that might allow the hypervisor to take over in virtual environments. A patch is currently pending for some users.

Vmware Bug

The heap-overflow vulnerability (CVE-2021-22045) has a CVSS score of 7.7 out of 10. Data corruption or unexpected behavior by any process accessing the impacted memory space is possible as a result of heap overflows, which are memory issues that can result in remote code execution (RCE). The flaw impacts Windows, Linux, and Mac users throughout the virtualization specialist’s whole portfolio.

The affected products’ CD-ROM device emulation is most vulnerable to this specific flaw. According to the vendor’s advisory, a hostile actor might exploit this vulnerability in conjunction with other flaws, to run code on the hypervisor from a virtual machine. All that is needed is a CD image that must be attached to the virtual computer in order to launch a successful attack.

As per the information that is available, an attacker would not have control over the data written, even if a guest OS user can execute code on the hypervisor. This explains the need for the vulnerability to be exploited in a combination with other issues.

If the attacks are successful, however, it’s possible that the hypervisor’s operating system could be hacked. This, in turn, would allow cybercriminals to gain control of a hypervisor, which is highly privileged software that controls how resources are shared among virtual machines, and to execute code or install files on those VMs depending on the security controls in place.

Due to its severity, VMware CVE-2021-22045 has to be patched immediately. Details on the available fix can be found on the vendor’s advisory. Presently, ESXi 6.5, 6.7, and 7 (a patch for version 7 is yet to be released), Fusion 12.x, Workstation 16.x, and all versions of VMware Cloud Foundation are the product versions that need to be updated asap.

VMware products are a popular target for numerous cybercriminals. Users of ESXi are particularly vulnerable, according to security specialists, since attackers may target the centralized virtual hard drives that store data from across VMs. This makes ESXi servers a very appealing target for ransomware threat actors because they may attack numerous VMs at once, where each of the VMs could be running business-critical apps or services.

ESXi v.7 users are exposed to the greatest risk since they don’t currently have a fix for this new bug. To get around this, for the time being, VMware has provided a solution that disables CD-ROM and DVD capability.

To do this, go through the following steps:

  • Use the vSphere Web Client to log in to the vCenter Server system.
  • Right-click the virtual machine and select Edit Settings from the context menu.
  • Uncheck “Connected” and “Connect at power on” on the CD/DVD drive that you select.
  • Removing any ISOs from the CD/DVD drive is the next step in this process.

According to the vendor, the following command can be used to discover which VMs are equipped with a CD-ROM or DVD drive:

Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Select Parent

The associated CD-ROM/DVD device can be disconnected with the following command:

Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Set-CDDrive -NoMedia -confirm:$false

Exit mobile version