VMware ESXi appears to be increasingly secure, as indicated by fewer CVEs and 0 success at Pwn2Own. However, on March 4 this year, VMware disclosed three critical vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) that enable ESXi virtual machine escape and have been confirmed to be exploited in the wild. This brings attention back to VMware ESXi, raising questions about the security of this influential commercial virtualization platform and the cost of breaking it. Our team successfully demonstrated a VMware ESXi VM escape at the Tianfu Cup in late 2023, winning both the championship and the Most Valuable Product Crack Award. This was the only publicly demonstrated VMware ESXi VM escape since 2021. In this presentation, we will disclose the vulnerabilities (CVE-2024-22252, CVE-2024-22254) we discovered and demonstrated at the Tianfu Cup. More importantly, we found that the root cause of one vulnerability (CVE-2024-22252) is darker than imagined—it stemmed from a previously failed patch, leaving the flaw present in all VMware hypervisor products (Workstation, Fusion, ESXi) for two years. We will reveal its connection to historical vulnerabilities, how VMware attempted to fix it, and how it continued to exist and hide for two years until we discovered and reported it. We will also share our exploitation methodology for ESXi VM escape, which will be the only ESXi VM escape exploitation disclosure since 2021. We leveraged the URB we shared in "URB Excalibur: The New VMware All-Platform VM Escapes," along with some new primitives. A full ESXi VM escape also requires a sandbox bypass attack on the ESXi system. We will analyze the relevant attack surfaces in detail and how to achieve privilege escalation through kernel vulnerabilities. Finally, we will analyze the three vulnerabilities exploited in the wild disclosed by VMware in March, and evaluate whether they have been properly fixed this time. By: Yuhao Jiang | Security Researcher, Ant Group Xinlei Ying | Security Researcher, Ant Group Ziming Zhang | Security Researcher, Ant Group Full Presentation Materials Available at: https://ift.tt/guKQrz5
source https://www.youtube.com/watch?v=MhQmaK8Zsfw
-
Germany recalled its ambassador to Russia for a week of consultations in Berlin following an alleged hacker attack on Chancellor Olaf Scho...
-
Android’s May 2024 security update patches 38 vulnerabilities, including a critical bug in the System component. The post Android Update ...
No comments:
Post a Comment