VMware Releases Critical Patches for Workstation and Fusion Software

VMware has released updates to resolve multiple security flaws impacting its Workstation and Fusion software, the most critical of which could allow a local attacker to achieve code execution.

The vulnerability, tracked as CVE-2023-20869 (CVSS score: 9.3), is described as a stack-based buffer-overflow vulnerability that resides in the functionality for sharing host Bluetooth devices with the virtual machine.

“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” the company said.

Also patched by VMware is an out-of-bounds read vulnerability affecting the same feature (CVE-2023-20870, CVSS score: 7.1), that could be abused by a local adversary with admin privileges to read sensitive information contained in hypervisor memory from a virtual machine.

Both vulnerabilities were demonstrated by researchers from STAR Labs on the third day of the Pwn2Own hacking contest held in Vancouver last month, earning them an $80,000 reward.

VMware has also patched two additional shortcomings, which include a local privilege escalation flaw (CVE-2023-20871, CVSS score: 7.3) in Fusion and an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation (CVE-2023-20872, CVSS score: 7.7).

While the former could enable a bad actor with read/write access to the host operating system to obtain root access, the latter could result in arbitrary code execution.

“A malicious attacker with access to a virtual machine that has a physical CD/DVD drive attached and configured to use a virtual SCSI controller may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine,” VMware said.

The flaws have been addressed in Workstation version 17.0.2 and Fusion version 13.0.2. As a temporary workaround for CVE-2023-20869 and CVE-2023-20870, VMware is suggesting that users turn off Bluetooth support on the virtual machine.

As for mitigating CVE-2023-20872, it’s advised to remove the CD/DVD device from the virtual machine or configure the virtual machine not to use a virtual SCSI controller.

The development comes less than a week after the virtualization services provider fixed a critical deserialization flaw impacting multiple versions of Aria Operations for Logs (CVE-2023-20864, CVSS score: 9.8).