VMware on Tuesday announced that it has patched several high-severity vulnerabilities that were disclosed last year at a major Chinese hacking contest.
The security holes impact VMware ESXi, Workstation, and Fusion, and they were used at the 2021 Tianfu Cup hacking contest by Kunlun Lab, the team that won the event. Kunlun Lab earned a total of more than $650,000 for a wide range of exploits demonstrated at Tianfu Cup.
The event’s organizers offered $80,000 for VMware Workstation exploits that achieve a guest-to-host escape and $180,000 for ESXi exploits that enable the attacker to obtain root permissions on the host. It’s unclear exactly how much Kunlun Lab earned for its VMware exploits at Tianfu Cup.
In an advisory released on Tuesday, VMware provided the following description for the vulnerabilities:
- CVE-2021-22040 – use-after-free vulnerability in XHCI USB controller of ESXi, Workstation, and Fusion — allows an attacker with local admin privileges on a virtual machine (VM) to execute code as the VMs VMX process running on the host;
- CVE-2021-22041 – double-fetch vulnerability in UHCI USB controller of ESXi, Workstation, and Fusion — allows a local attacker with admin privileges on a VM to execute code as the VMX process running on the host;
- CVE-2021-22042 – settingsd unauthorized access vulnerability in ESXi — related to VMX having access to settingsd authorization tickets, allowing an attacker with privileges within the VMX process to access the settingsd service running as a high-privileged user;
- CVE-2021-22043 – settingsd TOCTOU vulnerability in ESXi — related to the way temporary files are handled, allows an attacker to escalate privileges by writing arbitrary files.
In addition to patches for ESXi, Workstation, Fusion and Cloud Foundation, VMware has made available workarounds. The virtualization giant has advised customers to immediately take steps to address the vulnerabilities.
“The ramifications of this vulnerability are serious, especially if attackers have access to workloads inside your environments,” VMware warned in a Q&A document that provides additional clarifications.
“Organizations that practice change management using the ITIL definitions of change types would consider this an ‘emergency change.’ All environments are different, have different tolerance for risk, and have different security controls and defense-in-depth to mitigate risk, so the decision on how to proceed is up to you. However, given the severity, we strongly recommend that you act,” the company added.
VMware initially noted in the same document that these vulnerabilities “were reported to the Chinese government by the researchers that discovered them, in accordance with their laws.” However, the company later removed that sentence.
There were reports last year about a new law instructing Chinese citizens who find zero-days to pass the details to the government. Researchers would not be allowed to sell or give the information to third-parties outside of China, apart from the affected vendor.
However, a Chinese researcher who wished to remain anonymous told SecurityWeek that there is no law or regulation forcing researchers to disclose vulnerabilities to the Chinese government.
* Article and headline updated after VMware removed the sentence about the vulnerabilities being reported to the Chinese government. Also adds information from a source that researchers are not required to report vulnerabilities to the Chinese government.