back to article VMware urges emergency action to blunt hypervisor flaws

Hypervisors are supposed to provide an inviolable isolation layer between virtual machines and hardware. But hypervisor heavyweight VMware by Broadcom yesterday revealed its hypervisors are not quite so inviolable as it might like. In a security advisory the Broadcom business unit warned of four flaws. The nastiest two – CVE- …

  1. Mishak Silver badge

    Remove USB devices

    Great, but what about those of use that need to use USB passthrough*? Is there going to be a "real" fix rolled out at some point?

    * For example, I run some PC only software that uses USB hardware interfaces (CAN and the like) in a VM on Fusion.

    1. Yorick Hunt Silver badge

      Re: Remove USB devices

      Does anyone other than you have access to the VM? If not, you've nothing to worry about.

      1. Ace2 Silver badge

        Re: Remove USB devices

        Well, in my case the VM is running Windows, so…

    2. phils

      Re: Remove USB devices

      The real fix is to install the patches, the workaround is for those who can't update for some reason.

      1. Mishak Silver badge

        Re: Remove USB devices

        I've not been "offered" any updates for my Fusion V12.

        1. Anonymous Coward
          Anonymous Coward

          Re: Remove USB devices

          12.x went out of support on 31/3/23 according to their lifecycle matrix:

          More just for general knowledge incase anyone else stumbles across this post looking for a fix not realising the version is EoL.

  2. Jim Willsher

    Updated my two ESXi hosts this morning. They are standalone, so I normally do esxcli software profile update etc. However this resulted in MemoryError.

    Found a blog by the legendary William Lam:

    Solution is to download the offlne bundle and store in repo, then update from there

    esxcli software profile update -p ESXi-8.0U2b-23305546-standard -d /vmfs/volumes/NUC3Primary/ISO/

    Posting ths just in case this helps anyone else.

    1. Anonymous Coward
      Anonymous Coward

      Thanks for the heads up

      Seems like Broadcom is happily continuing the recent tradition of failing to QC the updater and patches, then telling it's users to suck it up and use the command line to apply all updates if they want them to actually work.

      This reminds me of the years that the GUI based update would fail to check if the account that ran the patch was locked due an expired password and would crash out gracelessly part way through and install that it never should have started. Also as a bonus they quietly set expiration to 90 days without prompting the admin in one of the updates, and you would have to command line in to fix it because the GUI literally wouldn't let you set a new password once it expired.

      Here's to greener pastures under HyperV or one of the 'NIX hypervisors.

  3. Tom Chiverton 1

    Nice on-prem virtualization you 'ave there.

    Be a shame if anything were to happen to it.

    Did we mention our Cloud?

    1. 43300 Silver badge

      Their problem is that if they push organisations towards cloudy offerings, in most cases that's going to mean somebody else's cloudy offerings!

    2. DougMac

      No more cloud..

      > Did we mention our Cloud?

      VMware/Broadcom dropped all vSphere+ offerings as part of their "simplification", so they don't run their own cloud any longer.

  4. Nate Amsden

    not too bad

    I can think of only a couple of times in the past 15 years my ESXi systems needed a VM with a USB controller. And for workstation, I do use USB passthrough (on one VM) on that but not really concerned, if there is undetected malicious code there I have bigger things to worry about than VM escaping. I don't know why by default VMware assigns a USB controller to new windows systems in ESXi, I always remove it, never needed it.

    Also on my linux systems I disable the framebuffer( to prevent any repeat exploits of that happening. On windows it's less useful without a framebuffer(assuming it's possible to have a functioning system at all with it disabled, not sure) so I leave it on of course but they make up a tiny fraction of the overall VMs in my environment.

    That said, haven't had any known/detected malicious code on my systems since the [STONED] virus in the early 90s (excluding some seemingly harmless bad things. detected by virus scanners on game key generators and stuff in the late 90s).

  5. ecarlseen

    Installing unnecessary virtual hardware by default has always been a problem.

    As that weird person who actually goes through unchecking every unneeded option on installs I got to snicker when guest-host escapes were occurring due to virtual floppy drives that virtually nobody used but were installed by default. I'll be doing the same thing here.

  6. Michael Hoffmann Silver badge

    I'm screwed

    My ESXi whitebox is locked to 6.7U1, last one to support my old hardware.

    That said, it's not routed to the Internet, but the VMnet is of course...

    That thing was supposed to run until the heat death of the universe. Or mine. Whichever comes first.

  7. Anonymous Coward
    Anonymous Coward

    Ethnicity required?

    Posting Anonymously, because my asbestos coat has been taken from me...

    I'm curious why it was felt necessary to mention the ethnicity of the team that located this issue, Surely computers don't care where you are from?

    Could this be the Americanization of the systematic distrust, or dislike of anything Chinese?

    1. diodesign (Written by Reg staff) Silver badge

      Re: Ethnicity required?

      It's just a data point, there's no ill-will from us at least. It is what it is.


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like