Bridged Creek was discovered at by of Any Group’s Light-Year Security Lab. On 2022-12-13 it was announced by VMWare as security advisory on 2022-12-13, and assigned as on 2022-12-14. GeekPwn 2022 Yuhao Jiang VMSA-2022-0033 CVE-2022-31705 The vulnerability took top prize at the competitive event, run by Tencent’s , and was one of a number of critical vulnerabilities addressed in the same security update by VMWare. Keen Security Lab Vulnonym: Bridged Creek CVE Number: CVE-2022-31705 CWE Number: CWE-787 What is the scope of the vulnerability? VMWare ESXi 7 & 8, VMWare Workstation 16, and VMWare Fusion 12 on OS X. Fixed versions are ESXi80a-20842819, ESXi7OU3si-20841705, Workstation 16.2.5, and Fusion 12.2.5. What’s the impact? This is a virtual machine escape vulnerability, meaning a user with local administration privileges on a guest virtual machine may use it to execute code on the host machine, as the virtual machine’s VMX process. With ESXi the exploitation is limited in impact as it is contained within the VMX sandbox, while on Workstation and Fusion code execution may be possible. What’s the threat? A public proof of concept or version of the exploit is not available, and there have been no indications of exploitation in the wild. The requirement for local administrative privileges within the guest machine limits potential attackers, though the vulnerability does allow for a potential sandbox escape as a follow up to an initial compromise or privilege escalation attack against a virtual machine. What’s the mitigation? No mitigation or workaround is available given the nature of the issue. If an attacker has local administration privileges, they can potentially exploit the vulnerability. What’s the fix? VMWare have released security updates for all affected products which should be applied as per their . advisory What’s the weakness? is the common weakness of many memory-related errors, and refers to Out-of-bounds Write. This means that the software being executed may write to memory which has not been assigned to it. This is most common in software developed with low-level languages with direct memory access. CWE-787 Prevention can include using languages which perform their own memory management, or include overflow protection by default (note this can usually be disabled by the programmer). Other solutions may help to prevent similar vulnerabilities, but there are few complete solutions due to the diversity of flaws. The Details https://www.youtube.com/watch?v=qL2CxfNUMeg?embedable=true Virtual machine escapes are often considered serious vulnerabilities due to the potential impacts on host machines, and so other guests. In this instance the weakness is serious, with a limited number of use cases where it may be exploited. An attacker either needs to be granted local administrator access to a virtual machine, or have already compromised the guest, before leveraging it to execute code on the host.