Two vulnerabilities in VMware ESXi may lead to virtual Domain Controller compromise (Critical, VMSA-2020-0026, CVE-2020-4004, CVE-2020-4005)

Critical updates

Today, VMware released an update that addresses a use-after-free vulnerability in the XHCI USB controller (CVE-2020-4004) and a VMX elevation-of-privilege vulnerability CVE-2020-4005). Together these two vulnerabilities can be used to compromise virtual Domain Controllers running on ESXi.

Note:
The vulnerabilities exist in VMware Cloud Foundation, too.

The two vulnerabilities were responsibly disclosed to VMware by Xiao Wei and Tianwen Tang (VictorV) of Qihoo 360 Vulcan Team working with the 2020 Tianfu Cup PWN Contest. The Qihoo 360 Vulcan Team also responsibly disclosed the vulnerabilities that were fixed after the 2019 edition of the Tianfu Cup PWN Contest, as part of VMSA-2019-0022.

 

About the vulnerabilities

vulnerability in XHCI USB controller (CVE-2020-4004)

The first vulnerability is a a use-after-free vulnerability in the XHCI USB controller.

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

The severity of this issue is in the Critical severity range with a maximum CVSSv3 base score of 9.3.

A workaround for this vulnerability is to remove the XHCI (USB 3.x) controller.

 

VMX vulnerability (CVE-2020-4005)

The second vulnerability is VMX elevation-of-privilege vulnerability. this vulnerability exists in the way certain system calls are being managed.

A malicious actor with privileges within the VMX process only, may escalate their privileges on the affected system.

Successful exploitation of this issue is only possible when chained with another vulnerability, like for instance CVE-2020-4004.

The severity of this issue is in the Critical severity range with a maximum CVSSv3 base score of 8.8

For this vulnerability, no workaround is available.

 

The link to virtual Domain Controllers

Many Active Directory Domain Controllers run as virtual machines on top of ESXi. More often than not, these ESXi hosts run other virtual machines, on which host security measures may be less strict.

On these machines, an attacker who has local administrator rights, can execute malicious code that runs as the VMX process on the ESXi host. Through specific code, the attacker may elevate their privileges and manage the ESXi host. Further actions may compromise the integrity of Active Directory running on virtual Domain Controllers that run on the same ESXi host. This may affect the Active Directory database and Group Policy settings, including replicating these changes as authorized changes to all other Domain Controllers, including physical ones.

When Active Directory’s integrity is gone, it’s Game Over for 9/10 organizations. Please update.

 

About the fix

VMware addressed the vulnerabilities in the following versions:

For ESXi 7.0, versions ESXi70U1b-17168206 and up is no longer vulnerable.
For ESXi 6.7, version ESXi670-202011101-SG addresses the vulnerability.
For ESXi 6.5, version ESXi650-202011301-SG addresses the vulnerability.

 

Concluding

Please install the updates for the version(s) of ESXi in use within your organization, as mentioned above and in the advisory for VMSA-2020-0026.

Alternatively, remove the XHCI (USB 3.x) controller from at least the virtual machines that run on ESXi hosts that run virtual Domain Controller and from all virtual machines that may run on these ESXi host through DRS., if the virtual USB controller hardware is not in use.

Further reading

VMware updated the patch for CVE-2020-3992 to completely address the Remote Code Execution Vulnerability (Critical, CVSSv3 9.8)
VMware Security Advisory VMSA-2020-0026

One Response to Two vulnerabilities in VMware ESXi may lead to virtual Domain Controller compromise (Critical, VMSA-2020-0026, CVE-2020-4004, CVE-2020-4005)

  1.  

    It is a serious bug that can impact thousands of users.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.