Critical

VMSA-2022-0004
5.3-8.4
2022-02-15
2022-02-15 (Initial Advisory)
CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050
VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities (CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products
  • VMware ESXi
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro / Fusion (Fusion)
  • VMware Cloud Foundation (Cloud Foundation)
2. Introduction

Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. 

The individual vulnerabilities documented on this VMSA have severity Important/Moderate but combining these issues may result in higher severity, hence the severity of this VMSA is at severity level Critical.

3a. Use-after-free vulnerability in XHCI USB controller (CVE-2021-22040)

Description

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller.VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.4.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Resolution

To remediate CVE-2021-22040 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2021-22040 have been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0004-qna.

Notes

[1] VMware recommends taking ESXi670-202201001 released on January 25, 2022 over ESXi670-202111101-SG released on November 23, 2021 since ESXi670-202201001 also resolves non-security related issues (documented in https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202201001.html).

Acknowledgements

VMware would like to thank Wei of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us.

3b. Double-fetch vulnerability in UHCI USB controller (CVE-2021-22041)

Description

VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.4.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Resolution

To remediate CVE-2021-22041 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2021-22041 have been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0004-qna.

Notes

Successful exploitation of this issue requires an isochronous USB endpoint to be made available to the virtual machine.

 

[1] VMware recommends taking ESXi670-202201001 released on January 25, 2022 over ESXi670-202111101-SG released on November 23, 2021 since ESXi670-202201001 also resolves non-security related issues (documented in https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202201001.html).

Acknowledgements

VMware would like to thank VictorV of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us.

Response Matrix: - 3a & 3b

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0 U3
Any
CVE-2021-22040, CVE-2021-22041
important
ESXi
7.0 U2
Any
CVE-2021-22040, CVE-2021-22041
important
ESXi
7.0 U1
Any
CVE-2021-22040, CVE-2021-22041
important
ESXi
6.7
Any
CVE-2021-22040, CVE-2021-22041
important
ESXi
6.5
Any
CVE-2021-22040, CVE-2021-22041
important
Fusion
12.x
OS X
CVE-2021-22040, CVE-2021-22041
important
Workstation
16.x
Any
CVE-2021-22040, CVE-2021-22041
important

Impacted Product Suites that Deploy Response Matrix 3a & 3b Components:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (ESXi)
4.x
Any
CVE-2021-22040, CVE-2021-22041
important
Cloud Foundation (ESXi)
3.x
Any
CVE-2021-22040, CVE-2021-22041
important
3c. ESXi settingsd unauthorized access vulnerability (CVE-2021-22042)

Description

VMware ESXi contains an unauthorized access vulnerability due to VMX having access to settingsd authorization tickets. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.

Known Attack Vectors

A malicious actor with privileges within the VMX process only, may be able to access settingsd service running as a high privileged user. 

Resolution

To remediate CVE-2021-22042 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0004-qna.

Notes

None.

Acknowledgements

VMware would like to thank Wei of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us.

3d. ESXi settingsd TOCTOU vulnerability (CVE-2021-22043)

Description

VMware ESXi contains a TOCTOU (Time-of-check Time-of-use) vulnerability that exists in the way temporary files are handled. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.

Known Attack Vectors

A malicious actor with access to settingsd, may exploit this issue to escalate their privileges by writing arbitrary files. 

Resolution

To remediate CVE-2021-22043 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0004-qna.

Notes

None.

Acknowledgements

VMware would like to thank Wei of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us.

Response Matrix: - 3c & 3d

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0 U3
Any
CVE-2021-22042, CVE-2021-22043
important
None
ESXi
7.0 U2
Any
CVE-2021-22042, CVE-2021-22043
important
None
ESXi
7.0 U1
Any
CVE-2021-22042, CVE-2021-22043
important
None
ESXi
6.7
Any
CVE-2021-22042, CVE-2021-22043
N/A
N/A
Unaffected
N/A
N/A
ESXi
6.5
Any
CVE-2021-22042, CVE-2021-22043
N/A
N/A
Unaffected
N/A
N/A

Impacted Product Suites that Deploy Response Matrix 3c & 3d Components:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (ESXi)
4.x
Any
CVE-2021-22042, CVE-2021-22043
important
None
Cloud Foundation (ESXi)
3.x
Any
CVE-2021-22042, CVE-2021-22043
N/A
N/A
Unaffected
N/A
N/A
3e. ESXi slow HTTP POST denial of service vulnerability (CVE-2021-22050)

Description

ESXi contains a slow HTTP POST denial-of-service vulnerability in rhttpproxy. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors

A malicious actor with network access to ESXi may exploit this issue to create a denial-of-service condition by overwhelming rhttpproxy service with multiple requests.

Resolution

To remediate CVE-2021-22050 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0004-qna.

Notes

[1] VMware recommends taking ESXi670-202201001 released on January 25, 2022 over ESXi670-202111101-SG released on November 23, 2021 since ESXi670-202201001 also resolves non-security related issues (documented in https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202201001.html).

Acknowledgements

VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0
Any
CVE-2021-22050
moderate
None
ESXi
6.7
Any
CVE-2021-22050
moderate
None
ESXi
6.5
Any
CVE-2021-22050
moderate
None

Impacted Product Suites that Deploy Response Matrix 3e Components:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (ESXi)
4.x
Any
CVE-2021-22050
moderate
None
Cloud Foundation (ESXi)
3.x
Any
CVE-2021-22050
moderate
None
4. References

VMware ESXi 7.0 ESXi70U3c-19193900
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3c-release-notes.html

 

VMware ESXi 7.0 ESXi70U2e-19290878
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u2e-release-notes.html

 

VMware ESXi 7.0 ESXi70U1e-19324898
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1e.html

 

VMware ESXi 6.7 ESXi670-202111101-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202111001.html

 

VMware ESXi 6.5 ESXi650-202202401-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202202001.html

 

VMware ESXi 6.5 ESXi650-202110101-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202110001.html

 

VMware Cloud Foundation 4.4
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.4/rn/VMware-Cloud-Foundation-44-Release-Notes.html

VMware Cloud Foundation 3.11
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.11/rn/VMware-Cloud-Foundation-311-Release-Notes.html

 

VMware Workstation Player 16.2.1
https://www.vmware.com/go/downloadplayer
https://docs.vmware.com/en/VMware-Workstation-Player/index.html

 

VMware Fusion 12.2.1
Downloads and Documentation:
https://www.vmware.com/go/downloadfusion
https://docs.vmware.com/en/VMware-Fusion/index.html

 

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22040
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22041
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22043
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22050

 

FIRST CVSSv3 Calculator:
CVE-2021-22040: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-22041: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-22042: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2021-22043: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2021-22050: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5. Change Log

2022-02-15 VMSA-2022-0004
Initial security advisory.

 

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2022 VMware Inc. All rights reserved.