VMware warns of four vulnerabilities affecting various hypervisors. The vulnerabilities allow attackers to gain access to your physical environment via the virtual environment.

VMware reports that it has discovered four vulnerabilities that could affect several of the company’s hypervisors. Specifically, this affects VMware ESXi, VMware Workstation Pro / Player (Workstation), VMware Fusion Pro / Fusion (Fusion) and VMware Cloud Foundation (Cloud Foundation). Two of the vulnerabilities are classified as very serious and customers are therefore requested not to delay the fix for too long.

A hypervisor creates an “isolation layer” between a virtual machine and the physical host on which the VM runs. This is to ensure that what happens on the virtual machine has as little impact on the host as possible. But the vulnerabilities have the opposite effect, turning the hypervisor into a gateway between the virtual machine and the device. This allows an attacker to execute malicious code within the virtual machine on the host device, which could be, for example, a Windows PC or a Mac.

Virtual USB

Three out of four vulnerabilities can be traced back to virtual USB controllers, explains VMware. You can remove it from a virtual machine because then you can also scale mouse and keyboard controls. VMware itself says that this workaround may not be “feasible at scale.” Most Windows and Linux versions support the use of a PS/2 virtual mouse and keyboard, so removing the USB controller will have little to no impact.

To fully resolve the issue, VMware recommends customers update their hypervisors to the latest supported version. Never bad advice when a vulnerability arises. VMware provides an overview of which version is safe for each type of hypervisor.

VMware also announced two vulnerabilities in a plug-in for vCenter Server at the end of February. The scope of these vulnerabilities was much more limited because it was an outdated plugin that could be fixed by simply removing it. This vulnerability could cause many more victims if customers don’t act quickly. These are not the only problems that the virtualization specialist has to contend with.