Security Advisory 2022-001

History:

• 06/01/2022 --- v1.0 -- Initial publication

Summary

On the 4th of January 2022, VMware has released a security alert for a vulnerability affecting VMware Workstation, Fusion, ESXi Server and Cloud Foundation [1]. This vulnerability tracked as CVE-2021-22045 has an important CVSSv3 score of 7.7. A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit a heap overflow vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine.

Successful exploitation requires CD image to be attached to the virtual machine.

Technical Details

This is a heap-overflow vulnerability located in CD-ROM device emulation in VMware Workstation, Fusion and ESXi that was privately reported to VMware.

Affected Products

The following products are affected by the vulnerability :

All previous releases of VMware ESXi 6.5 and 6.7 are vulnerable.

Recommendations

VMware has released an update and workarounds that fixes the CVE-2021-22045 [2,3,4] and a general workaround [4] showing how to disable CD-ROM/DVD devices on all running virtual machines. The workaround is meant to be a temporary solution until updates documented in [1] can be deployed.

CERT-EU strongly recommends patching as per the table below:

There is no requirement to implement the workaround once the recommended upgrade is complete.

References

[1] https://www.vmware.com/security/advisories/VMSA-2022-0001.html

[2] https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202110001.html

[3] https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202111001.html

[4] https://kb.vmware.com/s/article/87249

[5] https://kb.vmware.com/s/article/87206