An anonymous reader cites a report from Ars Technica. VMware has patched critical vulnerabilities that could allow hackers to bypass sandbox and hypervisor protections in all versions of VMware ESXi, Workstation, Fusion, and Cloud Foundation products, including versions that are no longer supported. We encourage our customers to apply the following: A series of four vulnerabilities, two of which have a severity rating of 9.3 out of 10, compromise the fundamental purpose of VMware products to perform sensitive operations within virtual machines isolated from the host machine. It is serious because it damages it. VMware officials said the possibility of hypervisor escape requires immediate action based on the company's IT Infrastructure Library, a process commonly abbreviated as ITIL.
“In ITIL terminology, this situation qualifies as an emergency change and requires immediate action from the organization,” officials wrote in the post. “However, the appropriate security response depends on the specific circumstances.” One of the specific circumstances concerns which vulnerable product the customer is using, and another concerns whether the product is Whether and how it is placed behind a firewall is something to consider. The VMware advisory indicates how the vulnerabilities tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255 impact each vulnerable product. It contained the following matrices: […]. Three of the vulnerabilities affect USB controllers that products use to support peripherals such as keyboards and mice.
VMware's parent company, Broadcom, is urging customers to patch vulnerable products. As a workaround, users can remove the USB controller from the vulnerable virtual machine, but Broadcom notes that this measure may reduce virtual console functionality and should only be viewed as a temporary solution. He emphasized. In an article explaining how to remove a USB controller, the official writes: “A workaround is to remove all USB controllers from the virtual machine. As a result, USB passthrough functionality will not be available. Additionally, virtual/emulated USB devices, VMware virtual USB sticks or dongles will In contrast, the default keyboard/mouse as an input device is not affected as it is not connected via the USB protocol by default, but it is not affected if it has a driver that connects via the USB protocol. Software device emulation in the guest operating system.
important:
Certain guest operating systems, such as Mac OS, do not support the use of PS/2 mice and keyboards. Without a USB controller, these guest operating systems will be left without a mouse or keyboard. ”