The flaws earned those ratings as they mean a malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code outside the guest.
Workarounds for the flaws even apply to vSphere 6.x – a now unsupported version of VMware's flagship server virtualization platform.
Yet VMware's FAQ admits doing so "may not be feasible at scale" as "some supported operating systems require USB for keyboard & mouse access via the virtual console."
The FAQ adds: "That said, most Windows and Linux versions support use of the virtual PS/2 mouse and keyboard," and removing unnecessary devices such as USB controllers is recommended as part of the security hardening guidance VMware publishes.
Interestingly, some of the flaws were discovered by researchers at 2023's Tianfu Cup Pwn Contest – China's equivalent of the Pwn2Own infosec attack-fest.
Also thanked were Jiaqing Huang and Hao Zheng from the TianGong Team of Legendsec at Qi'anxin Group, as they found some of the flaws independently.
The original article contains 416 words, the summary contains 163 words. Saved 61%. I'm a bot and I'm open source!
