CVE-2022-31705: Bridged Creek Vulnerability Report

Bridged Creek was discovered at GeekPwn 2022 by Yuhao Jiang of Any Group’s Light-Year Security Lab. On 2022-12-13 it was announced by VMWare as security advisory VMSA-2022-0033 on 2022-12-13, and assigned as CVE-2022-31705 on 2022-12-14.

The vulnerability took top prize at the competitive event, run by Tencent’s Keen Security Lab, and was one of a number of critical vulnerabilities addressed in the same security update by VMWare.

Vulnonym: Bridged Creek

CVE Number: CVE-2022-31705

CWE Number: CWE-787

What is the scope of the vulnerability?

VMWare ESXi 7 & 8, VMWare Workstation 16, and VMWare Fusion 12 on OS X.

Fixed versions are ESXi80a-20842819, ESXi7OU3si-20841705, Workstation 16.2.5, and Fusion 12.2.5.

What’s the impact?

This is a virtual machine escape vulnerability, meaning a user with local administration privileges on a guest virtual machine may use it to execute code on the host machine, as the virtual machine’s VMX process.

With ESXi the exploitation is limited in impact as it is contained within the VMX sandbox, while on Workstation and Fusion code execution may be possible.

What’s the threat?

A public proof of concept or version of the exploit is not available, and there have been no indications of exploitation in the wild. The requirement for local administrative privileges within the guest machine limits potential attackers, though the vulnerability does allow for a potential sandbox escape as a follow up to an initial compromise or privilege escalation attack against a virtual machine.

What’s the mitigation?

No mitigation or workaround is available given the nature of the issue. If an attacker has local administration privileges, they can potentially exploit the vulnerability.

What’s the fix?

VMWare have released security updates for all affected products which should be applied as per their advisory.

What’s the weakness?

CWE-787 is the common weakness of many memory-related errors, and refers to Out-of-bounds Write. This means that the software being executed may write to memory which has not been assigned to it. This is most common in software developed with low-level languages with direct memory access.

Prevention can include using languages which perform their own memory management, or include overflow protection by default (note this can usually be disabled by the programmer). Other solutions may help to prevent similar vulnerabilities, but there are few complete solutions due to the diversity of flaws.

The Details

Virtual machine escapes are often considered serious vulnerabilities due to the potential impacts on host machines, and so other guests. In this instance the weakness is serious, with a limited number of use cases where it may be exploited. An attacker either needs to be granted local administrator access to a virtual machine, or have already compromised the guest, before leveraging it to execute code on the host.