VMware vSphere

Hi,
We have few virtual machines deployed on ESXi 7.x and ESXi 8.x. We have a query with regard to impact of VMSA-2024-0006.1 (vmware.com)

The USB controller on all these VMs are disabled by default. Hence, we would like to know if we are still affected by these vulnerabilities (CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255) when there is no USB controller device and should we still recommend patching of ESXi Servers to end users ?
Please let us know.

Thank you.

Hello,

It all depends on where you start from, i.e. which other defects / vulnerabilities have been corrected in the meantime. Generally speaking, applying the most recent updates it is generally recommended, but you have to evaluate times and methods based on your specific IT context. I mean, my small computing context allows me to adopt a (sometimes rather extreme) approach that is inapplicable (or at least inadvisable) in several other computing contexts.

Regards,
Ferdinando

Thanks for your inputs Ferdinando. Very much appreciated.

We are recommending patching of ESXi Servers for end users.

 - For VMs that do not have a USB Controller, they are not vulnerable, but, as  rightly pointed out, it is best practise to keep your hosts patched, and you should get into a routine of updating them as new builds become available. After you've done it a few times, it is usually fairly trivial to do.

If you subscribe to the following vCenter and ESXi release pages, you will be emailed when updates are released

• ESXi - https://kb.vmware.com/s/article/2143832
• vCenter - https://kb.vmware.com/s/article/2143838

You can also subscribe to VMware security announcements here (if you havn't already)

• https://www.vmware.com/security/advisories.html

HTH