National CSIRT-CY | National Computer Security Incident Response Team of Cyprus

Η Εθνική Ομάδα Αντιμετώπισης Ηλεκτρονικών Επιθέσεων προβλέπει την αύξηση της ηλεκτρονικής ασφαλείας ενισχύοντας την προστασία του κυβερνοχώρου των Εθνικών Κρίσιμων Πληροφοριακών Υποδομών, των τραπεζών και των παροχών επικοινωνίας της Κυπριακής Δημοκρατίας.

ENGLISH
Γραμμή Βοηθείας: 1490
ENGLISH

VMware Issues Security Patches for High-Severity Flaws Affecting Multiple Products

17 Φεβρουαρίου 2022

VMware on Tuesday patched several high-severity vulnerabilities impacting ESXi, Workstation, Fusion, Cloud Foundation, and NSX Data Center for vSphere that could be exploited to execute arbitrary code and cause a denial-of-service (DoS) condition. 

The list of six flaws is as follows:

CVE-2021-22040 (CVSS score: 8.4) - Use-after-free vulnerability in XHCI USB controller
CVE-2021-22041 (CVSS score: 8.4) - Double-fetch vulnerability in UHCI USB controller
CVE-2021-22042 (CVSS score: 8.2) - ESXi settingsd unauthorized access vulnerability
CVE-2021-22043 (CVSS score: 8.2) - ESXi settingsd TOCTOU vulnerability
CVE-2021-22050 (CVSS score: 5.3) - ESXi slow HTTP POST denial-of-service vulnerability
CVE-2022-22945 (CVSS score: 8.8) - CLI shell injection vulnerability in the NSX Edge appliance component


Successful exploitation of the flaws could allow a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host. It could also allow the adversary with access to settingsd to escalate their privileges by writing arbitrary files.

Additionally, CVE-2021-22050 could be weaponized by an adversary with network access to ESXi to create a DoS condition by overwhelming rhttpproxy service with multiple requests. Last but not least, CVE-2022-22945 could permit an attacker with SSH access to an NSX-Edge appliance (NSX-V) to run arbitrary commands on the operating system as root user.

The information contained in this website is for general information purposes only. The information is gathered from TheHackernews, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

 

Cyber threats require heightened defences

Working towards a trusted and cyber secure Europe

Protect your cyber hygiene

Cyber Europe 2022 [exercise]