Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



VMware Patches Vulnerabilities Disclosed at Chinese Hacking Contest

VMware on Tuesday announced that it has patched several high-severity vulnerabilities that were disclosed last year at a major Chinese hacking contest.

VMware on Tuesday announced that it has patched several high-severity vulnerabilities that were disclosed last year at a major Chinese hacking contest.

The security holes impact VMware ESXi, Workstation, and Fusion, and they were used at the 2021 Tianfu Cup hacking contest by Kunlun Lab, the team that won the event. Kunlun Lab earned a total of more than $650,000 for a wide range of exploits demonstrated at Tianfu Cup.

The event’s organizers offered $80,000 for VMware Workstation exploits that achieve a guest-to-host escape and $180,000 for ESXi exploits that enable the attacker to obtain root permissions on the host. It’s unclear exactly how much Kunlun Lab earned for its VMware exploits at Tianfu Cup.

In an advisory released on Tuesday, VMware provided the following description for the vulnerabilities:

  • CVE-2021-22040 – use-after-free vulnerability in XHCI USB controller of ESXi, Workstation, and Fusion — allows an attacker with local admin privileges on a virtual machine (VM) to execute code as the VMs VMX process running on the host; 
  • CVE-2021-22041 – double-fetch vulnerability in UHCI USB controller of ESXi, Workstation, and Fusion — allows a local attacker with admin privileges on a VM to execute code as the VMX process running on the host;
  • CVE-2021-22042 – settingsd unauthorized access vulnerability in ESXi — related to VMX having access to settingsd authorization tickets, allowing an attacker with privileges within the VMX process to access the settingsd service running as a high-privileged user;
  • CVE-2021-22043 – settingsd TOCTOU vulnerability in ESXi — related to the way temporary files are handled, allows an attacker to escalate privileges by writing arbitrary files.

In addition to patches for ESXi, Workstation, Fusion and Cloud Foundation, VMware has made available workarounds. The virtualization giant has advised customers to immediately take steps to address the vulnerabilities.

“The ramifications of this vulnerability are serious, especially if attackers have access to workloads inside your environments,” VMware warned in a Q&A document that provides additional clarifications.

“Organizations that practice change management using the ITIL definitions of change types would consider this an ‘emergency change.’ All environments are different, have different tolerance for risk, and have different security controls and defense-in-depth to mitigate risk, so the decision on how to proceed is up to you. However, given the severity, we strongly recommend that you act,” the company added.

VMware initially noted in the same document that these vulnerabilities “were reported to the Chinese government by the researchers that discovered them, in accordance with their laws.” However, the company later removed that sentence.

Advertisement. Scroll to continue reading.

There were reports last year about a new law instructing Chinese citizens who find zero-days to pass the details to the government. Researchers would not be allowed to sell or give the information to third-parties outside of China, apart from the affected vendor.

However, a Chinese researcher who wished to remain anonymous told SecurityWeek that there is no law or regulation forcing researchers to disclose vulnerabilities to the Chinese government. 

* Article and headline updated after VMware removed the sentence about the vulnerabilities being reported to the Chinese government. Also adds information from a source that researchers are not required to report vulnerabilities to the Chinese government.

Related: Apple Patches Vulnerabilities That Earned Hackers $600,000 at Chinese Contest

Related: Adobe Patches Reader Flaws That Earned Hackers $150,000 at Chinese Contest

Related: Chrome 95 Update Patches Exploited Zero-Days, Flaws Disclosed at Tianfu Cup

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.