back to article VMware reveals critical hypervisor bugs found at Chinese white hat hacking comp. One lets guests run code on hosts

VMware has revealed and repaired the flaws in its hypervisor discovered at China’s Tianfu Cup white hat hacking competition. CVE-2020-4004, rated critical due to its 9.3 on the CVSS scale, is described as a “Use-after-free vulnerability in XHCI USB controller”. It allows a malicious actor with local administrative privileges …

  1. amanfromMars 1 Silver badge

    As I'm sure you know and always quickly discover far too late to recover from whenever uncovered*

    Repairing revealing flaws with patches does not stop all nor certain curious bugs further embedding deeper still throughout kernel systems ...... which is probably why VMware was/is wise not to claim the bug is removed and removable from hypervisor systems administrations nor is it not leaving behind in deeper embeds further unauthorised actor activity for expanding future emergent kernel processor instruction set deliveries.

    Would one then still call that out as a bug for systems to apply useless patches against, or would it be realised and classified as fundamentally something else radically different entirely ....... and against which there is no possible defence ..... in these present times and current spaces ‽ .

    * Well, do/did you know? What did/do you do about it? What routes do/did you take/make? Ignore/Ignored it and hope/hoped it goes away to somewhere else? You know, Ye Olde Worlde Bury Your Heads in the Sand or Up into the Dark Where the Sun doesn't Shine Root. How is that working out for y'all?

  2. Rainer
    Facepalm

    There's a quote from Theo de Raadt...

    It's almost timeless, because he wrote it over 13 years ago:

    https://marc.info/?l=openbsd-misc&m=119318909016582

  3. Mike 137 Silver badge

    Virtually virtual machines

    de Raddt was dead right not only then, as x86 is just an example.The problem has got worse since he commented. Increasing complexity leads to increasing insecurity even if the programmers are the best, and complexity is still growing more than linearly. And sadly, as development becomes ever more abstracted, the quality of the programmer becomes less important as the link between what's keyed in and what actually executes becomes ever more tenuous and obscure.

  4. TeeCee Gold badge
    WTF?

    Hang on...

    So the second exploit described gives privilege elevation, but requires the first to be exploited to use it.

    The first exploit requires that you already have admin privilege to use it.

    Just what is the second elevating you to? God?

    1. amanfromMars 1 Silver badge

      Re: Hang on...

      Just what is the second elevating you to? God? ..... TeeCee

      Yes. You can be sure some would so equate it, TeeCee, whilst others who could, wouldn't, and be very contented with just proving the point to all interested and who would matter and be able to further assist in what has been discovered and uncovered/invented and activated.

    2. DJohnson
      Alert

      Re: Hang on...

      I expect the CVE-2020-4005 issue allows someone to bypass some of the restrictions that may be imposed on a single VMX world. Perhaps without this the attacker would be more limited in the scope of access to the datastore?

      Either way, got to run, I have systems to patch!

    3. storner
      Boffin

      Re: Hang on...

      First exploit requires that you are admin on a CLIENT machine running off the VMware host. It gives you control of the VMware host, so it is a break-out from the virtual machine to the host.

      Second exploit raises your privileges on the host machine to admin.

  5. Nate Amsden

    Most probably aren't affected

    It seems according to the advisory a workaround is to remove the USB 3.x controller. As far as I know this is not added by default, none of the ~850 Windows and Linux VMs I manage have it. I had to go and add a USB controller to see the option even appear. Have never needed USB 3 otherwise.

    Even my vmware workstation at home which I use every day is using USB 1.1 controller.

    score one for good defaults I suppose.

    (vmware customer since 1999)

    1. TaabuTheCat

      Re: Most probably aren't affected

      How did you get so lucky? All of my VMs (built about a year ago) in a 6.7 environment have it installed by default. You really don't see the USB xHCI Controller installed when you look at "Other" hardware in the UI for for any of your VMs?

      Update: Just created a new Windows VM and the USB 3 controller is enabled by default.

  6. Anonymous Coward
    Anonymous Coward

    Who installs USB drivers on a VM?

    Of course you would do now if you wanted the ESX host....

    1. TaabuTheCat

      Re: Who installs USB drivers on a VM?

      Uh, those of us unfortunate enough to have software that uses USB licensing dongles?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020