Yesterday, VMware released updates that addresses four vulnerabilities (CVE-2022-31696, CVE-2022-31697, CVE-2022-31698 and CVE-2022-31699). These vulnerabilities can be used to compromise virtual Domain Controllers running on ESXi.
The vulnerabilities exist in VMware Cloud Foundation, too.
About the vulnerabilities
VMware addressed these four vulnerabilities:
VMware ESXi memory corruption vulnerability (CVE-2022-31696)
The first vulnerability is a memory corruption vulnerability in the way ESXi handles a network socket. An adversary with local access to ESXi may exploit this issue to corrupt memory leading to an escape of the ESXi sandbox.
This vulnerability was responsibly disclosed by Reno Robert of Trend Micro Zero Day Initiative (ZDI). VMware rates this vulnerability with a Common Vulnerability Scoring System (CVSS) v3 score of 7.5.
VMware vCenter Server information disclosure vulnerability (CVE-2022-31697)
The second vulnerability is an information disclosure vulnerability in the way vCenter Server logs. Some logging contains credentials in clear text.
This vulnerability was responsibly disclosed by Zachary Kern-Wies. VMware rates this vulnerability with a Common Vulnerability Scoring System (CVSS) v3 score of 6.2.
VMware vCenter Server content library denial of service vulnerability (CVE-2022-31698)
The third vulnerability is a Denial of Service (DoS) vulnerability in the vCenter Server’s content library service. An adversary with network access to TCP 443 on the vCenter Server may exploit this issue to trigger a denial-of-service condition by sending a specially crafted header.
This vulnerability was responsibly disclosed by Marcin 'Icewall' Noga of Cisco Talos. VMware rates this vulnerability with a Common Vulnerability Scoring System (CVSS) v3 score of 5.8.
VMware ESXi OpenSLP heap overflow vulnerability (CVE-2022-31699)
The fourth vulnerability is an heap overflow vulnerability in ESXi. An adversary with restricted privileges within a sandbox process may exploit this issue to achieve a partial information disclosure.
This vulnerability was responsibly disclosed by 01dwang & bibi from Bugab00 team. VMware rates this vulnerability with a Common Vulnerability Scoring System (CVSS) v3 score of 4.2.
A workaround for this vulnerability is to disable the SFCB service.
The link to virtual Domain Controllers
Many Active Directory Domain Controllers run as virtual machines on top of VMware ESXi. The virtualization platform is often managed using vCenter Server
Through specific code or network packages, an attacker may elevate their privileges and manage the ESXi host or make the ESXi host unavailable. This may affect the Active Directory database and Group Policy settings, including replicating these changes as authorized changes to all other Domain Controllers, including physical ones.
When Active Directory’s integrity is gone, it’s Game Over for 9/10 organizations. Please update.
About the fix
VMware addressed the vulnerabilities in the following versions:
- For ESXi 7.0, version ESXi70U3si-20841705 and up is no longer vulnerable.
- For ESXi 6.7, version ESXi670-202210101-SG addresses the vulnerability.
- For ESXi 6.5, version ESXi650-202210101-SG addresses the vulnerability.
ESXi 8.0 is not affected with these vulnerabilities.
- For vCenter Server 7.0, version 7.0 U3i and up is no longer vulnerable.
- For vCenter Server 6.7, version 6.7.0 U3s and up, is no longer vulnerable.
- For vCenter Server 6.5, version 6.5 U3u and up, is no longer vulnerable.
vCenter Server 8.0 is not affected with these vulnerabilities.
Please install the updates for the version(s) of ESXi in use within your organization, as mentioned above and in the advisory for VMSA-2022-0030.
Alternatively, disable the SFCB service and the SLP service on ESXi hosts that run virtual Domain Controllers to avoid compromise through CVE-2022-31699.