The Chinese government was also informed of VMware vulnerabilities revealed at China’s Tianfu Cup hacking event.
VMware stated on Tuesday that it had addressed many high-severity vulnerabilities revealed at a big Chinese hacking competition last year.
The vulnerabilities affect VMware ESXi, Workstation, and Fusion, and they were exploited by Kunlun Lab, the winning team in the 2021 Tianfu Cup hacking competition. For a variety of adventures displayed at Tianfu Cup, Kunlun Lab received a total of more than $650,000.
The organisers of the event offered $80,000 for VMware Workstation exploits that result in a guest-to-host escape and $180,000 for ESXi exploits that allow the attacker to get root access to the host. It’s unclear how much Kunlun Lab made at Tianfu Cup thanks to its VMware exploits.
The vulnerabilities were described as follows in a VMware advisory posted on Tuesday:
CVE-2021-22040 – use-after-free vulnerability in ESXi, Workstation, and Fusion’s XHCI USB controller — allows an attacker with local admin capabilities on a virtual machine (VM) to execute code as the VM’s VMX process on the host;
CVE-2021-22041 – double-fetch vulnerability in ESXi, Workstation, and Fusion’s UHCI USB controller — allows a local attacker with admin access on a VM to execute code as the VMX process running on the host;
CVE-2021-22042 – VMX has access to settingsd authorization tickets, allowing an attacker with privileges within the VMX process to access the settingsd service running as a high-privileged user;
CVE-2021-22043 -The settingsd TOCTOU vulnerability in ESXi, which is related to how temporary files are handled, allows an attacker to escalate privileges by writing arbitrary files.
VMware has provided remedies in addition to updates for ESXi, Workstation, Fusion, and Cloud Foundation. Customers should take quick action to remedy the vulnerabilities, according to the virtualization behemoth.
“The repercussions of this vulnerability are substantial, especially if attackers have access to workloads inside your environments,” VMware cautioned in a Q&A post.
“Organizations that use the ITIL definitions of change types to undertake change management would classify this as a ’emergency change.'” Because every environment is distinct, has a varied risk tolerance, and uses different security measures and defense-in-depth to minimise risk, you must decide how to proceed. However, given the gravity of the situation, we strongly advise you to act,” the business warned.
In the same paper, VMware also stated that the researchers who discovered the vulnerabilities “submitted them to the Chinese government in compliance with their laws.”
A recently enacted regulation requires Chinese citizens who discover zero-day exploits to report them to the authorities. Apart from the affected vendor, researchers are not allowed to sell or distribute the information to third parties outside of China.
In December, it was reported that China’s Ministry of Industry and Information Technology has temporarily halted its engagement with Alibaba Cloud as a cyber threat intelligence partner due to the company’s failure to notify the government about the infamous Log4Shell vulnerability.