VMware ESXi 7 users vulnerable to hypervisor takeover bug

VMware issued a patch to address a potentially serious hypervisor takeover vulnerability, but the security update omitted one of the company's key enterprise products.

CVE-2021-22045 is a heap overflow vulnerability that allows an attacker running a virtual machine instance to escape from the VM and get access to the hypervisor that would include the ability to execute commands. Essentially, any running VM could take over control of the host machine.

According to a VMware advisory published on Jan. 4, the flaw is due to an error in the way VMs emulate CD and DVD-ROM drives and disc images. The bug is present across all of the vendor's main products, including VMware Workstation, Fusion and ESXi.

"VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.7," the company told users.

"A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine."

Researcher "Jaanus K\xc3\xa4\xc3\xa4p" of Clarified Security was credited with discovering and reporting the bug via Trend Micro's Zero Day Initiative.

For those running Workstation, Fusion and ESXi 6 installations, the vulnerability is easy enough to fix. Simply updating to the latest version (16.2.0 on Workstation, 12.2.0 on Fusion,
ESXi670-202111101-SG or ESXi650-202110101-SG) will remedy the flaw and make it safe to host virtualized optical drives on VMs.

There was, however, one notable omission from that list. The latest build of ESXi, version 7.0, has not yet addressed the vulnerability and is being listed as a "patch pending," with no estimated date given.

SearchSecurity reached out to VMware for more information as why the ESXi 7.0 update is still pending, but at the time of publication the company had yet to respond.

Having the hypervisor vulnerability exposed in ESXi is potentially serious because, unlike Workstations and Fusion, which run on a single PC or Mac and emulate only a small number of individual VMs, ESXi is an enterprise-grade platform intended to virtualize large-scale IT environments.

Should an attacker be able to exploit the flaw on the bare-metal hypervisor, the consequences could prove serious.

Fortunately, there is at least a short-term mitigation available for ESXi 7. VMware said admins can disable the virtual drives on all connected VMs as a short-term measure until the full patch is released.