VMware escape-to-host vulnerability in USB stack

Overview

VMware has released an update to address a critical escape-to-host vulnerability (CVE-2022-31705) in VMware ESXi, Workstation, and Fusion. Another critical vulnerability (CVE-2022-31702) was found in vRealize Network Insight (vRNI).

Impact

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.

Affected Products

– ESXi 8.0, fixed in ESXi80a-20842819
– ESXi 8.0, fixed in ESXi70U3si-20841705
– Fusion 12.x, fixed in 12.2.5
– Fusion 13.x unaffected
– Workstation 16.x, fixed in 16.2.5
– Workstation 17.x unaffected

Containment, Mitigations & Remediations

VMware has published advice on removing the USB 2.0 controller (EHCI) from a host.

Indicators of Compromise

Not known to be exploited in the wild.

Threat Landscape

An escape-to-host vulnerability can allow an attacker to run code from a virtual machine on the host device. This is useful for accessing other virtualised resources as well as the host and any management network attached to it.

Threat Group

Not known to be exploited in the wild.

Mitre Methodologies

T1068 – Exploitation for Privilege Escalation
T1611 – Escape to Host

Further Information

VMSA-2022-0033 (Escape to Host vulnerability
VMSA-2022-0031 (vNRI vulnerability)