VMware ESXi vulnerability in XHCI USB Controller

VMware releases critical update to patch against vulnerabilities discovered at hacking competition.

Vendor: VMware

Product: ESXi 6.5, 6.7, 7.0

Component: XHCI USB Controller

Date: 19th November 2020

Target: Clients running ESXi hypervisor 6.5, 6.7, 7.0.

What's new

The Tianfu Cup 2020 International Cybersecurity Contest held at the start of November this year is a hacking contest where teams complete to successfully hack a selection of software and hardware products from mainstream manufacturers. Some of the rewards for successful hacks can be up to $300000. This contest is in a similar vein to the Pwn2Own contest held in North America.

One such hack used in this year’s contest was targeting VMware's ESXi Hypervisor with a prize of $180000 for obtaining root permission on the hypervisor OS. A team did accomplish this feat and provided VMware with the details on how they accomplished the exploit.

VMware turned around a patch in 11 days for ESXi versions 6.5, 6.7, 7.0. The exploit was rated 9.3 on the CVSS scale and labelled CVE-2020-4004.

The vulnerability is described as "Use-after-free vulnerability in XHCI USB controller". This would allow an attacker on a virtual machine with local administrator rights to execute code as the VMX process of the virtual machine. This VMX process runs in the VMKernel and has access to I/O devices so could potentially access data stored on the host or external storage. This could be used as part of a ransomware attack.

One potential example of this is the ransomware attack on Brazilian courts in early November. The attack report suggests that the VM's were encrypted and then deleted from the datastore level which has never been seen before.

A workaround to protect against this vulnerability was to disable the XHCI USB controllers in use on the VM's. The fix has been released by VMware as a critical patch.

How does this affect me?

• If your systems are vulnerable, they could be susceptible to a ransomware or other style attack to obtain or destroy your business data.

• Where your systems are required to be Cyber Essentials or PCI DSS compliant this patch must be installed within 14 or 30 days respectively.

What do I need to do?

• Arrange downtime to install this patch.

• Datcom clients will have already been contacted regarding this.

References

• https://www.vmware.com/security/advisories/VMSA-2020-0026.html
• http://www.tianfucup.com
• https://www.theregister.com/2020/11/06/brazil_court_ransomware/