VMware ESXi vulnerability in XHCI USB Controller

VMware releases critical update to patch against vulnerabilities discovered at hacking competition.

Vendor: VMware

Product: ESXi 6.5, 6.7, 7.0

Component: XHCI USB Controller

Date: 19th November 2020

Target: Clients running ESXi hypervisor 6.5, 6.7, 7.0.

What's new

The Tianfu Cup 2020 International Cybersecurity Contest held at the start of November this year is a hacking contest where teams complete to successfully hack a selection of software and hardware products from mainstream manufacturers. Some of the rewards for successful hacks can be up to $300000. This contest is in a similar vein to the Pwn2Own contest held in North America.

One such hack used in this year’s contest was targeting VMware's ESXi Hypervisor with a prize of $180000 for obtaining root permission on the hypervisor OS. A team did accomplish this feat and provided VMware with the details on how they accomplished the exploit.

VMware turned around a patch in 11 days for ESXi versions 6.5, 6.7, 7.0. The exploit was rated 9.3 on the CVSS scale and labelled CVE-2020-4004.

The vulnerability is described as "Use-after-free vulnerability in XHCI USB controller". This would allow an attacker on a virtual machine with local administrator rights to execute code as the VMX process of the virtual machine. This VMX process runs in the VMKernel and has access to I/O devices so could potentially access data stored on the host or external storage. This could be used as part of a ransomware attack.

One potential example of this is the ransomware attack on Brazilian courts in early November. The attack report suggests that the VM's were encrypted and then deleted from the datastore level which has never been seen before.

A workaround to protect against this vulnerability was to disable the XHCI USB controllers in use on the VM's. The fix has been released by VMware as a critical patch.

How does this affect me?

  • If your systems are vulnerable, they could be susceptible to a ransomware or other style attack to obtain or destroy your business data.
  • Where your systems are required to be Cyber Essentials or PCI DSS compliant this patch must be installed within 14 or 30 days respectively.

What do I need to do?

  • Arrange downtime to install this patch.
  • Datcom clients will have already been contacted regarding this.


Get in touch

Call us on 0333 000 3210 or Email us solutions@datcom.co.uk

Latest news...

The Spam Test

Scammers have become increasingly competent over the years which has made spotting malicious emails more difficult. Whilst It is still the case that the grammar and general sentence structure tend to be poor, this has reduced as foreign attackers have got more proficient and translation tools have improved.

Read More

COVID-19 National Lockdown January 2021

From the 5th January 2021, the UK has started a new lockdown for a minimum of six weeks. Over this period Datcom will continue to provide the highest level of support and service to our clients, no matter whether you are working from home, in the office or on the road.

Read More