VMware Reveals Critical Hypervisor Bugs. One lets Guests Run Code on Hosts


Thread author
Staff member
Malware Hunter
Jul 27, 2015
VMware has revealed and repaired the flaws in its hypervisor discovered at China’s Tianfu Cup white hat hacking competition.

CVE-2020-4004, rated critical due to its 9.3 on the CVSS scale, is described as a “Use-after-free vulnerability in XHCI USB controller”. It allows a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host. The VMX process runs in the VMkernel and is responsible for handling I/O to devices, so there’s the potential for data exfiltration. The bug needs patching in ESXi from version 6.5, VMware’s Fusion and Workstation desktop hypervisors from versions 11 and 15 respectively, plus VMware Cloud Foundation from version 3.

CVE-2020-4005 is a VMX elevation-of-privilege vulnerability and rated as important with an 8.8 CVSS score. Getting this one to work requires exploitation of the other bug described above. Users of ESXi from version 6.5 and Cloud Foundation from version 3 need to get busy on this one.
Patches are available for the two flaws, with download details available at VMware’s security advisory page.