March 06th, 2024 - Alisa Esage
1. Vmware just released security patches for four critical vulnerabilities that affect their entire core hypervisor stack: CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255. 2. The bugs were publicly exploited at Tianfu Cup 2023 hacking contest, which is currently the Chinese (and really the only one, globally) competitor to Pwn2Own competitions. There is no technical disclosures publicly available today. 3. Three out of four bugs were found in the code of emulated USB controllers: XHCI & UHCI. The nature of the fourth bug (CVE-2024-22254) is unclear, and it affects ESXi hypervisor only. 4. Regarding severity rating: they are just ordinary code execution bugs which allow (when chained together) a full VM escape. There is nothing special about these bugs. The only reason why Critical severity was assigned here is the publicly demonstrated exploit. In fact, dozens of bugs identical to these (though not necessarily in USB emulation) are being found and patched in hypervisors on a regular basis, with a humbler severity rating. 5. Vulnerabilities in USB emulated devices are actually quite common, although hard to fuzz. Many Pwn competitions in the past showed hypervisor exploits based on bugs in USB emulated devices. 6. All the different USB hardware technologies - OHCI, UHCI, eHCI, xHCI - are based on the same core system, while differing greatly in complexity. xHCI in particular is extremely complex. As hypervisors emulate hardware USB technologies, they implement the entire hardware specification abstraction in code. This is the reason why considerable numbers of security bugs were historically found in USB emulators. 7. In terms of hypervisor hardening, USB emulation code is one of the first candidates for elimination as attack surface reduction. 8. Most common classes of bugs in USB emulated devices are buffer overflows and use-after-free issues. Concrete examples: unchecked fields in USB data descriptors, dangling pointers due to poorly managed DMA mapping/unpapping operations, and generally lack of sanitization of guest-provided kernel device driver data. 9. Exploitation of emulated devices in hypervisors typically requires elevated privileges on the Virtual Machine, and the exploit would go through the guest OS kernel. 10. The distribution of affected products here hints upon the fraction of core hypervisor code which is shared in the vendor's base.
High-level workflow of security patch analysis with reverse-engineering proprietary hypervisor code to reproduce the exploit - device emulation: check this blog post. This specific workflow is actually included as a series of practical exercises in our Hypervisor Vulnerability Research training, from reverse engineering the security patch to prototyping the proof-of-concept, plus all the background theory. The same bug pattern was behind one of the USB emulated device exploits in the past - xHCI (Pwn2Own 2017). Which is a common sample of use-after-free bug in *HCI controllers.
Vmware advisory with product versions and patching instructions
Masterclasses: Hypervisor Security Nightly (4-hour ultra-specialized deep dives, take the 101 class to check if hypervisor VR is your thing) Training course: Zero Day Vulnerability Research (32 hours, systematic universal foundation) Training course: Hypervisor Vulnerability Research (32 hours, vulnerability research specialization)