VMWare has provided updates to Workstation, Fusion and ESXi products to address a “critical” vulnerability that could be exploited by a threat actor to take control of affected systems.
The problem relates to a heap overflow vulnerability – tracked as CVE-2021-22045 (CVSS score: 7.7) – which, if successfully exploited, leads to the execution of arbitrary code. The company credits Jaanus Kääp, a security researcher with Clarified Security, for reporting the bug.
“A malicious actor with access to a virtual machine with CD-ROM device emulation could exploit this vulnerability, in conjunction with other issues, to execute code on the hypervisor from a virtual machine,” VMware said in an advisory published Jan. 4.
The bug affects ESXi versions 6.5, 6.7 and 7.0; Workstation versions 16.x; and Fusion versions 12.x, although the company has released a patch for ESXi 7.0. In the meantime, the company recommends that users disable all CD-ROM / DVD devices …