VMware issued an updated fix for a critical-severity remote code execution flaw in its ESXi hypervisor products. These critical flaws, discovered during a hacking competition in China, are patched in a recent update by VMware. ESXi versions 6.5, 6.7, and 7.0 are affected.
The high-severity flaw is dubbed CVE-2020-4004 which is a use-after-free vulnerability that has a CVSS score of 9.3/10. It's found in the XHCI USB controller. This controller determines a register-level description of the host controller for USB ports.
A malicious actor with local administrative privileges on a virtual machine can exploit this flaw. They then can execute code after which the VMX process runs in the VMkernel. This VMkernel handles I/O to devices that aren't performance-related.
The other VMware ESXi flaw is an elevation-of-privilege vulnerability dubbed CVE-2020-4005 with a CVSS score of 8.8/10. A hacker could use this flaw to escalate their privileges on that system. This vulnerability is harder to exploit because:
- The hacker needs privileges within the VMX process
- This exploit can only be successful if tied with a different vulnerability.
VMware already released a a work around back in October, but in November they discovered new vulnerabilities after the patch because earlier versions of ESXi weren't covered. This is now fixed with this update.
|Product name||CVE Code||CVE Code Description|
|VMware ESXi||CVE-2020-4004||Use-after-free vulnerability|
|VMware ESXi||CVE-2020-4005||Privilege-escalation vulnerability|
Run the ESXi Vulnerability Report
It's pretty critical that you update these clients at the earliest opportunity to ensure that you don't fall prey to these vulnerabilities. Have a look at our report library, where we've issued a dedicated ESXi Vulnerability Audit Report that gives you an instant overview of all affected devices and their patch status.
If you haven't already, start your free trial of Lansweeper to run the ESXi Vulnerability Report. Make sure to subscribe via the form below if you want to receive the latest vulnerability reports and bonus network reports.