Headline
CVE-2021-22043: VMSA-2022-0004
VMware ESXi contains a TOCTOU (Time-of-check Time-of-use) vulnerability that exists in the way temporary files are handled. A malicious actor with access to settingsd, may exploit this issue to escalate their privileges by writing arbitrary files.
Advisory ID: VMSA-2022-0004
CVSSv3 Range: 5.3-8.4
Issue Date: 2022-02-15
Updated On: 2022-02-15 (Initial Advisory)
CVE(s): CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050
Synopsis: VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities (CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050)
Share this page on social media
Sign up for Security Advisories
****1. Impacted Products****
- VMware ESXi
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- VMware Cloud Foundation (Cloud Foundation)
****2. Introduction****
Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
The individual vulnerabilities documented on this VMSA have severity Important/Moderate but combining these issues may result in higher severity, hence the severity of this VMSA is at severity level Critical.
****3a. Use-after-free vulnerability in XHCI USB controller (CVE-2021-22040)****
VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller.VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.4.
A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.
To remediate CVE-2021-22040 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
Workarounds for CVE-2021-22040 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.
VMware would like to thank Wei of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us.
****3b. Double-fetch vulnerability in UHCI USB controller (CVE-2021-22041)****
VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.4.
A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.
To remediate CVE-2021-22041 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
Workarounds for CVE-2021-22041 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.
Successful exploitation of this issue requires an isochronous USB endpoint to be made available to the virtual machine.
[1] VMware recommends taking ESXi670-202201001 released on January 25, 2022 over ESXi670-202111101-SG released on November 23, 2021 since ESXi670-202201001 also resolves non-security related issues (documented in https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202201001.html).
VMware would like to thank VictorV of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us.
Response Matrix: - 3a & 3b
Impacted Product Suites that Deploy Response Matrix 3a & 3b Components:
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
Cloud Foundation (ESXi)
4.x
Any
CVE-2021-22040, CVE-2021-22041
8.4
important
KB87646 (4.4)
KB87349
FAQ
Cloud Foundation (ESXi)
3.x
Any
CVE-2021-22040, CVE-2021-22041
8.4
important
3.11
KB87349
FAQ
****3c. ESXi settingsd unauthorized access vulnerability (CVE-2021-22042)****
VMware ESXi contains an unauthorized access vulnerability due to VMX having access to settingsd authorization tickets. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.
A malicious actor with privileges within the VMX process only, may be able to access settingsd service running as a high privileged user.
To remediate CVE-2021-22042 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
VMware would like to thank Wei of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us.
****3d. ESXi settingsd TOCTOU vulnerability (CVE-2021-22043)****
VMware ESXi contains a TOCTOU (Time-of-check Time-of-use) vulnerability that exists in the way temporary files are handled. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.
A malicious actor with access to settingsd, may exploit this issue to escalate their privileges by writing arbitrary files.
To remediate CVE-2021-22043 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
VMware would like to thank Wei of Kunlun Lab working with the 2021 Tianfu Cup Pwn Contest for reporting this issue to us.
Response Matrix: - 3c & 3d
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
ESXi
7.0 U3
Any
CVE-2021-22042, CVE-2021-22043
8.2
important
ESXi70U3c-19193900
None
FAQ
ESXi
7.0 U2
Any
CVE-2021-22042, CVE-2021-22043
8.2
important
ESXi70U2e-19290878
None
FAQ
ESXi
7.0 U1
Any
CVE-2021-22042, CVE-2021-22043
8.2
important
ESXi70U1e-19324898
None
FAQ
ESXi
6.7
Any
CVE-2021-22042, CVE-2021-22043
N/A
N/A
Unaffected
N/A
N/A
ESXi
6.5
Any
CVE-2021-22042, CVE-2021-22043
N/A
N/A
Unaffected
N/A
N/A
Impacted Product Suites that Deploy Response Matrix 3c & 3d Components:
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
Cloud Foundation (ESXi)
4.x
Any
CVE-2021-22042, CVE-2021-22043
8.2
important
KB87646 (4.4)
None
FAQ
Cloud Foundation (ESXi)
3.x
Any
CVE-2021-22042, CVE-2021-22043
N/A
N/A
Unaffected
N/A
N/A
****3e. ESXi slow HTTP POST denial of service vulnerability (CVE-2021-22050)****
ESXi contains a slow HTTP POST denial-of-service vulnerability in rhttpproxy. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
A malicious actor with network access to ESXi may exploit this issue to create a denial-of-service condition by overwhelming rhttpproxy service with multiple requests.
To remediate CVE-2021-22050 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
VMware would like to thank George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC for reporting this issue to us.
Impacted Product Suites that Deploy Response Matrix 3e Components:
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
Cloud Foundation (ESXi)
4.x
Any
CVE-2021-22050
5.3
moderate
KB87646 (4.4)
None
FAQ
Cloud Foundation (ESXi)
3.x
Any
CVE-2021-22050
5.3
moderate
3.11
None
FAQ
****4. References****
****5. Change Log****
2022-02-15 VMSA-2022-0004
Initial security advisory.
****6. Contact****