Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.6482
VMware ESXi, Workstation, and Fusion updates address a heap
out-of-bounds write vulnerability (CVE-2022-31705)
14 December 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware ESXi
VMware Workstation
VMware Fusion
Vmware Cloud Foundation
Publisher: VMware
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2022-31705
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2022-0033.html
Comment: CVSS (Max): 9.3 CVE-2022-31705 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: VMware
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Advisory ID: VMSA-2022-0033
CVSSv3 Range: 5.9-9.3
Issue Date: 2022-12-13
Updated On: 2022-12-13 (Initial Advisory)
CVE(s): CVE-2022-31705
Synopsis: VMware ESXi, Workstation, and Fusion updates address a heap
out-of-bounds write vulnerability (CVE-2022-31705)
1. Impacted Products
o VMware ESXi
o VMware Workstation Pro / Player (Workstation)
o VMware Fusion Pro / Fusion (Fusion)
o VMware Cloud Foundation
2. Introduction
A heap out-of-bounds write vulnerability in VMware ESXi, Workstation, and
Fusion was privately reported to VMware. Updates and workarounds are available
to remediate this vulnerability in affected VMware products.
3. Heap out-of-bounds write vulnerability in EHCI controller (CVE-2022-31705)
Description
VMware ESXi, Workstation, and Fusion contain a heap out-of-bounds write
vulnerability in the USB 2.0 controller (EHCI). VMware has evaluated the
severity of this issue to be in the Critical severity range with a maximum
CVSSv3 base score of 9.3.
Known Attack Vectors
A malicious actor with local administrative privileges on a virtual machine may
exploit this issue to execute code as the virtual machine's VMX process running
on the host. On ESXi, the exploitation is contained within the VMX sandbox
whereas, on Workstation and Fusion, this may lead to code execution on the
machine where Workstation or Fusion is installed.
Resolution
To remediate CVE-2022-31705 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.
Workarounds
Workarounds for CVE-2022-31705 have been listed in the 'Workarounds' column of
the 'Response Matrix' below.
Additional Documentation
None.
Acknowledgements
VMware would like to thank the organizers of GeekPwn 2022 and Yuhao Jiang for
reporting this issue to us.
Notes
None.
Response Matrix:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional
On Documentation
ESXi 8.0 Any CVE-2022-31705 5.9 moderate ESXi80a-20842819 KB87617 None
ESXi 7.0 Any CVE-2022-31705 5.9 moderate ESXi70U3si-20841705 KB87617 None
Fusion 13.x OS X CVE-2022-31705 N/A N/A Unaffected N/A N/A
Fusion 12.x OS X CVE-2022-31705 9.3 critical 12.2.5 KB79712 None
Workstation 17.x Any CVE-2022-31705 N/A N/A Unaffected N/A N/A
Workstation 16.x Any CVE-2022-31705 9.3 critical 16.2.5 KB79712 None
Impacted Product Suites that Deploy Response Matrix Components:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
Cloud
Foundation 4.x/3.x Any CVE-2022-31705 5.9 moderate KB90336 KB87617 None
(ESXi)
4. References
VMware ESXi 8.0 ESXi80a-20842819
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80a-release-notes
/index.html
VMware ESXi 7.0 ESXi70U3si-20841705
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/
vsphere-esxi-70u3i-release-notes.html
VMware Workstation 16.2.5
\https://customerconnect.vmware.com/en/downloads/info/slug/
desktop_end_user_computing/vmware_workstation_pro/16_0
https://docs.vmware.com/en/VMware-Workstation-Pro/16.2.5/rn/
vmware-workstation-1625-pro-release-notes/index.html
VMware Fusion 12.2.5
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/info/slug/
desktop_end_user_computing/vmware_fusion/12_0
https://docs.vmware.com/en/VMware-Fusion/12.2.5/rn/
vmware-fusion-1225release-notes/index.html
KBs:
https://kb.vmware.com/s/article/87617
https://kb.vmware.com/s/article/79712
https://kb.vmware.com/s/article/90336
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31705
FIRST CVSSv3 Calculator:
CVE-2022-31705
ESXi: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/
S:U/C:L/I:L/A:L
Workstation/Fusion: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/
AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
5. Change Log
2022-12-13 VMSA-2022-0033
Initial security advisory.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY5kCDskNZI30y1K9AQig9w/9F4yIx6dk31/OOGnoJKtJAyg+Mu0ZO4nG
BQBdgi6Z33D2yAh1ozImujSR8Irka9SCB9a5pXZGDHhVBkyKNw2bIzcpjmlpx8ta
p2uBkOn6ZK+OoxbGDwZ/nlfqVxs0vbOY2Q3dcJQaLCSXeaBqfyHtBoPaMyOzDmaT
XnMbe+kLzJl2slPyJQrZ2/lhsAU+Zu8FWRpDwZyZLHvaO77maFNZ0d3XPrwb0cdP
VHHwDqbf1pzFrchD93WVeP2wJYQT7vdu07pI8Gcl3Fk/0j6Ilmd2RBB7ZtWEO2b1
/jP03VAJXL8CU7rD9FrTAp1M8jzpAI7cDslEsh7FkP8RsHD0qfDmzda/qMwvod2d
SrwiB1F2/4nnERbNMX+w3cw05DoHj5aw/INnqiacv8Yi2UUwBOFC0cOgDcc+wLqp
8q/OPu+rqmWG5y//vRJ2odVtQE0btz1ls0JL+1JG3uZnkZ6+oaPRFLHx1NAZQTx+
T9LHsFTw+kjlC6+1QpdEyRkg0nP0UvRAHCaGiYQrUU1b6X+RAKZnTOUcpwmFIhWk
48K14LQEuPjpQUioABsZWimfxBQFy21BSR4OTTGkWrTqI1M3ecsekb+RvF1cdNNF
0Q7jVYgKfNRmnVYRq2rw0ZVPY+xN2yqLpdbQwzjLXxVgnocQ82VZ1s74ntdDtZ0J
Ql7Mfe9V0Ng=
=hgWr
-----END PGP SIGNATURE-----