How To Fix CVE-2021-22045- Heap Overflow Vulnerability In VMWare Products?

Jaanus Kääp, a security researcher from Clarified Security, reported a Heap Overflow vulnerability in multiple VMWare products. According to the researcher, the CVE-2021-22045 vulnerability could allow an attacker to execute arbitrary code on Hypervisor from a virtual machine. Since the flaw has gained a score of 7.7, which is rated High in CVSS 3.1, it is important to fix the issue on all the affected VMWare products. In this post, let’s see how to fix CVE-2021-22045- Heap Overflow Vulnerability in VMWare Products.

What Is VMWare?

VMWare is now a subsidiary company of Dell Technologies. It is the first company to develop a virtualization platform, which is the core tech behind today’s cloud technologies. It has released a variety of products for desktops, servers, networks, and security, which helped develop virtual and cloud infrastructure.

Summary Of CVE-2021-22045- Heap Overflow Vulnerability In VMWare Products:

This is a Heap Overflow vulnerability that exists within the SCSI component of the CD-ROM device emulator in multiple VMWare products. An attacker should have access to execute low-privileged code on the target guest machine to exploit this vulnerability. So, the exploitation could only be possible for a local attacker. The flaw is due to improper validation of the length of user-supplied data before copying it to a fixed-length heap-based buffer.

Successful exploitation of the vulnerability will let an attacker to escalate privileges and execute arbitrary code on Hypervisor from a virtual machine.

VMware Products Affected With CVE-2021-22045- Heap Overflow Vulnerability:

The flaw affects VMware ESXi, VMware Workstation Pro / Player, VMware Fusion, and VMware Cloud Foundation.

VMware has responded to the flaw with Response Matrix.

How To Fix CVE-2021-22045- Heap Overflow Vulnerability In VMWare Products?

VMWare has released patches to mitigate the vulnerability and published a workaround for the users who can’t apply the patches immediately on the affected VMWare products, the Vendor has recommended disabling all CD/DVD devices on the VMs.

Fix CVE-2021-22045 In VMWare

The best way to fix CVE-2021-22045 is to upgrade the product to the latest release. For ESXi v6.5 & v6.7 users VMWare has released patch. However, users of ESXi v7.x is need to wait for to have the fix.

Workaround For CVE-2021-22045:

Disable All CD-ROM/DVD From The vSphere:

Disable all CD-ROM/DVD from Powercli:Powercli can be used to list the virtual machines connected to CD-ROM/DVD and remove the CD-ROM/DVD devices from the VMs.

Command to list all VMs with a connected CD-ROM/DVD device: 

Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Select Parent

Command to remove and disconnect an attached CD-ROM/DVD device:

Get-VM | Get-CDDrive | Where {$_.extensiondata.connectable.connected -eq $true} | Set-CDDrive -NoMedia -confirm:$false

Remove Unnecessary Hardware Devices From VMware Workstation:

Select VM > Settings, click the Hardware tab, select the device, and click Remove.

Devices Considered To Remove From Workstation VMs:

Remove Unnecessary Hardware Devices From VMware Fusion:

Devices Considered To Remove From VM Fusion VMs:

This is how you can fix the heap overflow vulnerability on VMWare products. We hope this post would help you know How to Fix CVE-2021-22045- Heap Overflow Vulnerability in VMWare Products. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this. 

You may also like these articles: