VMware Issues Vital Security Updates for Workstation and Fusion Products
VMware, a leading provider of virtualization solutions, has issued security updates to address multiple vulnerabilities affecting its Workstation and Fusion software products. Among these vulnerabilities, the most severe one could enable a local attacker to execute code on the affected system.
The most critical vulnerability, identified as CVE-2023-20869 and assigned a CVSS score of 9.3, is a stack-based buffer overflow vulnerability present in the feature that allows sharing of host Bluetooth devices with virtual machines. According to VMware, "A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host."
In addition to this, VMware has patched an out-of-bounds read vulnerability (CVE-2023-20870, CVSS score: 7.1) that affects the same Bluetooth sharing feature. A local attacker with administrative privileges could exploit this vulnerability to access sensitive information from the hypervisor memory via a virtual machine.
Researchers from STAR Labs successfully demonstrated both vulnerabilities during the third day of the Pwn2Own hacking contest held in Vancouver last month, earning a reward of $80,000.
VMware has also addressed two other vulnerabilities, including a local privilege escalation vulnerability (CVE-2023-20871, CVSS score: 7.3) in the Fusion product and an out-of-bounds read/write vulnerability (CVE-2023-20872, CVSS score: 7.7) in the emulation of SCSI CD/DVD devices. The former vulnerability could allow an attacker with read/write access to the host operating system to gain root access, while the latter could lead to arbitrary code execution. VMware explained, "A malicious attacker with access to a virtual machine that has a physical CD/DVD drive attached and configured to use a virtual SCSI controller may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine."
The identified vulnerabilities have been fixed in Workstation version 17.0.2 and Fusion version 13.0.2. As interim measures, VMware recommends disabling Bluetooth support on virtual machines to mitigate CVE-2023-20869 and CVE-2023-20870. To mitigate CVE-2023-20872, users are advised to either remove the CD/DVD device from virtual machines or configure virtual machines not to use virtual SCSI controllers.
This announcement follows closely on the heels of VMware's recent patch for a critical deserialization vulnerability (CVE-2023-20864, CVSS score: 9.8) affecting multiple versions of Aria Operations for Logs.
