⚡️0-Day Insights: Vmware Critical Security Advisory for ESXi, Workstation, Fusion hypervisors

1. Vmware just released security patches for four critical vulnerabilities that affect their entire core hypervisor stack: CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255.

2. The bugs were publicly exploited at Tianfu Cup 2023 hacking contest, which is currently the Chinese (and really the only one, globally) competitor to Pwn2Own competitions.

3. Three out of four bugs were found in the code of emulated USB controllers: XHCI & UHCI. The nature of the fourth bug (CVE-2024-22254) is unclear, and it affects ESXi hypervisor only.

4. Regarding severity rating: they are just ordinary code execution bugs which allow (when chained together) a full VM escape. There is nothing special about these bugs. The only reason why Critical severity was assigned here is the publicly demonstrated exploit. In fact, dozens of bugs identical to these (though not necessarily in USB emulation) are being found and patched in hypervisors on a regular basis, with a humbler severity rating.

5. Vulnerabilities in USB emulated devices are actually quite common, although hard to fuzz. Many Pwn competitions in the past showed hypervisor exploits based on bugs in USB emulated devices.

6. All the different USB hardware technologies - OHCI, UHCI, eHCI, xHCI - are based on the same core system, while differing greatly in complexity. xHCI in particular is extremely complex. As hypervisors emulate hardware USB technologies, they implement the entire hardware specification abstraction in code. This is the reason why considerable numbers of security bugs were historically found in USB emulators.

7. In terms of hypervisor hardening, USB emulation code is one of the first candidates for elimination as attack surface reduction.

8. Most common classes of bugs in USB emulated devices are buffer overflows and use-after-free issues. Concrete examples: unchecked fields in USB data descriptors, dangling pointers due to poorly managed DMA mapping/unpapping operations, and generally lack of sanitization of guest-provided kernel device driver data.

9. Exploitation of emulated devices in hypervisors typically requires elevated privileges on the Virtual Machine, and the exploit would go through the guest OS kernel.

10. The distribution of affected products here hints upon the fraction of core hypervisor code which is shared in the vendor's base.

Reference: Vmware advisory, product versions and patching instructions: https://vmware.com/security/advisories/VMSA-2024-0006.html

VMware

VMSA-2024-0006.1

VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities (CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255)

? I couldn't resist and made an Xmas special offer on the Zero Day Vulnerability Research course.* Treat yourself to happy holidays, and a power-knowledge start of new year! https://zerodayengineering.com/training/universal-vulnerability-research.html

• Deal covers only the Basic package (no technical support) and available until 3rd January 2024, 17:00 UTC

⚡️0-Day Insights: Google Chrome WebRTC vulnerability (CVE-2023-7024)

1. The bug resides in Chromium-specific WebRTC bindings rather than in the core WebRTC code.
   It means that the security vulnerability will only affect the Chrome browser as well as those browsers based on Chromium open source project (such as Microsoft Edge), and will not affect other software which uses WebRTC library.

2. The patch fixes wrong logic when processing incoming WebRTC audio stream parameters from the server/web page.

3. The exploitable state is caused by a memory corruption (heap buffer overflow) in downstream code, which uses unchecked AudioParameters struct members.

4. The bug may possibly be reached through a HTML page which uses WebRTC/WebAudio JavaScript API.

5. These Chromium-based software products have been patched:
   Browsers: Microsoft Edge, Brave, Opera; Electron framework

6. These Chromiuim-based software may be still vulnerable:
   Vivaldi browser, Samsung Internet, Avast browser, Yandex browser, Qihoo 360 browser, Meta Quest (Oculus) browser

7. These WebRTC embedders are not vulnerable:
   Safari, Firefox, Chromium OS, Firefox OS

8. The vulnerability is not ultra-hard to reproduce and exploit. If your software embeds Chromium open source project, upgrade to recent version or cherry-pick the patch as soon as possible.

9. In order to exploit this vulnerability by re-creating the full chain exploit, the attacker will still need another bug to disclose memory contents, and yet another bug to escape browser/application sandbox. Note that in certain configurations either or both additional requirements may be irrelevant.

10. Mitigation: software-specific.
    In Chrome browser WebRTC cannot be disabled in the settings, so consider updating the browser.

Technical analysis & 0-day research insights by
@alisaesage

Some additional details and relevant links: https://zerodayengineering.com/insights/chrome-webrtc-cve-2023-7024.html

⚡️0-Day Insights - Deep Dive: Qualcomm MSM Linux Kernel & ARM Mali GPU 0-day Vulnerabilities https://zerodayengineering.com/insights/qualcomm-msm-arm-mali-0days.html (by @alisaesage)

I'm taking the self-paced Zero Day Engineering course and it's one of the best investments I've ever made. I'm on Day 3 and I've already had several Insights and the certainty that I'm building a solid, long-term foundation. There's still the Binary Hacking part that I love most and I'm sure I'll also have several insights. I can imagine how valuable 1:1 mentoring would be if group training is already so good.

Meanwhile, I keep the feedback loop open:

1. Former attendees: submit your suggestions, ideas, complaints ? via Signal and Slack private contacts that you have.
2. Everyone eyeing it: send me your feature requests, or any specific problems that you hope to solve with this course (email: [email protected])

? Our popular course “Zero Day Vulnerability Research” is scheduled for a major upgrade in 2024 Q2 (v0.1->v1.0).

New version will be a classic e-learning self-study format featuring modular structure, clean pre-recorded lectures by @alisaesage, Q&A sessions from past live trainings, feedback-based improvements, and much more. Price will go up.

Purchasing the present self-paced package of the course, which is based on live/online training recordings of 2022, will give you the right to access the new version at no extra cost. Get it here:

http://zerodayengineering.com/training/universal-vulnerability-research.html

?New masterclass: JavaScript Engines Vulnerabilities https://zerodayengineering.com/training/masterclass/browser-security-nightly.html#jsevulns 19th August 2023, 13-17 UTC (4 hours)

Building up on our previous masterclass: JavaScript Engines Internals (https://zerodayengineering.com/training/masterclass/browser-security-nightly.html#jsinternals), this time we'll look exclusively at JS engine vulnerabilities and what to do with them -- with @alisaesage

Details and booking: https://zerodayengineering.com/training/masterclass/browser-security-nightly.html#jsinternals