Cyberwar Bulletin: Iran and Albania

Patch Now: Vmware Fixed CVE-2021-22045 Heap-Overflow Vulnerability

Posted on Jan 28, 2022 | By Pavithra Shankar

On January 04, 2022, VMware has published security fixes for its Workstation, Fusion, and ESXi products to address a heap-overflow vulnerability identified as CVE-2021-22045. Attackers on various VMware platforms can exploit a virtual CD-ROM drive to execute malicious code in the hypervisor; however, not all products have been fixed as of yet. 

Users of ESXi version 7 are still waiting for a complete fix for this high-severity heap-overflow security flaw, in the meantime Cloud Foundation, Fusion, and Workstation users install the patches straight away.

The CVSS v3 base score for this vulnerability is 7.8, which is classified as "high" in severity. A heap overflow is a memory issue that can corrupt data or introduce unexpected behavior into any process accessing the affected memory area - in some cases resulting in remote code execution (RCE) and Denial of Service (DoS).

 

Affected Products 

 

The vulnerability affects Windows, Linux, and Mac users throughout the virtualization specialist's portfolio. 

 

CVE Identifier

Product

Version

 Running  On

CVSSv3

Severity

Fixed Version

Workarounds

CVE-2021-22045

ESXi

7

Any

7.7

Important

Patch Pending

KB87249

ESXi

6.7

Any

7.7

Important

ESXi670-202111101-SG

KB87249

ESXi

6.5

Any

7.7

Important

ESXi650-202110101-SG

KB87249

Workstation

16.x

Any

7.7

Important

16.2.0

KB87206

Fusion

12.x

OS X

7.7

Important

12.2.0

KB87207

VMware Cloud Foundation (ESXi)

4.x

Any

7.7

Important

Patch Pending

KB87249

VMware Cloud Foundation (ESXi)

3.x

Any

7.7

Important

Patch Pending

KB87249


 

Knotted But Still Exploitable

 

The flaw allows an untrusted guest OS user to run code on the hypervisor; nevertheless, "an attacker would not have control over the data produced, making exploitation difficult." A successful attacker can compromise the hypervisor's host operating system. 

 

A hypervisor is software that creates and runs virtual machines and governs how resources are shared among them (such as memory and processing). Taking control of a hypervisor can provide hackers with a direct path to any data or applications stored in the VMs it manages, as well as the ability to execute code or install files on those Virtual Machines.

 

ESXi: Users are High at Risk

 

The ESXi hypervisor is an empty hypervisor that runs on a server and splits it into several virtual machines (VMs). Considering that there isn't a fix for ESXi users, VMware seems to be a popular target for cybercriminals and ransomware gangs.

 

On January 10, 2022, researchers have noticed that AvosLocker's newer malware versions now include capabilities for encrypting Linux computers, with a target on VMware ESXi virtual machines.

 

Mitigations: Disable Now!

 

Vmware advises customers to turn down all CD-ROM/DVD drives on all running virtual machines to avoid potential exploitation —

 

  1. Log in to a vCenter Server system using the vSphere Web Client.

  2. Right-click the virtual machine and click Edit Settings.

  3. Select the CD/DVD drive and uncheck "Connected" and "Connect at power on" and remove any attached ISOs.

 

Worried about how susceptible your organization is to a ransomware attack? 

Get a Ransomware Penetration Assessment done today! 

Click here to talk to us. 

Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito