Headline
CVE-2022-31705: VMSA-2022-0033
VMware ESXi, Workstation, and Fusion contain a heap out-of-bounds write vulnerability in the USB 2.0 controller (EHCI). A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
Advisory ID: VMSA-2022-0033
CVSSv3 Range: 5.9-9.3
Issue Date: 2022-12-13
Updated On: 2022-12-13 (Initial Advisory)
CVE(s): CVE-2022-31705
Synopsis: VMware ESXi, Workstation, and Fusion updates address a heap out-of-bounds write vulnerability (CVE-2022-31705)
****1. Impacted Products****
- VMware ESXi
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- VMware Cloud Foundation
****2. Introduction****
A heap out-of-bounds write vulnerability in VMware ESXi, Workstation, and Fusion was privately reported to VMware. Updates and workarounds are available to remediate this vulnerability in affected VMware products.
****3. Heap out-of-bounds write vulnerability in EHCI controller (CVE-2022-31705)****
VMware ESXi, Workstation, and Fusion contain a heap out-of-bounds write vulnerability in the USB 2.0 controller (EHCI). VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.
A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
To remediate CVE-2022-31705 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
Workarounds for CVE-2022-31705 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.
VMware would like to thank the organizers of GeekPwn 2022 and Yuhao Jiang for reporting this issue to us.
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
ESXi
8.0
Any
CVE-2022-31705
5.9
moderate
ESXi80a-20842819
KB87617
None
ESXi
7.0
Any
CVE-2022-31705
5.9
moderate
ESXi70U3si-20841705
KB87617
None
Fusion
13.x
OS X
CVE-2022-31705
N/A
N/A
Unaffected
N/A
N/A
Fusion
12.x
OS X
CVE-2022-31705
9.3
critical
12.2.5
KB79712
None
Workstation
17.x
Any
CVE-2022-31705
N/A
N/A
Unaffected
N/A
N/A
Workstation
16.x
Any
CVE-2022-31705
9.3
critical
16.2.5
KB79712
None
Impacted Product Suites that Deploy Response Matrix Components:
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
Cloud Foundation (ESXi)
4.x/3.x
Any
CVE-2022-31705
5.9
moderate
KB90336
KB87617
None
****4. References****
****5. Change Log****
2022-12-13 VMSA-2022-0033
Initial security advisory.
****6. Contact****
Related news
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
The U.S. National Security Agency (NSA) on Tuesday said a threat actor tracked as APT5 has been actively exploiting a zero-day flaw in Citrix Application Delivery Controller (ADC) and Gateway to take over affected systems. The critical remote code execution vulnerability, identified as CVE-2022-27518, could allow an unauthenticated attacker to execute commands remotely on vulnerable devices and