Vulnerability Management, Endpoint/Device Security

VMware releases security updates for Workstation, Fusion exploits

VMware sign at its headquarters

VMware released security updates and workarounds on April 25 for vulnerabilities in two of its products, one of which could lead to remote code execution.

The security vulnerabilities were privately reported to VMware and affect its Workstation and Fusion software products, the most critical is CVE-2023-20869, which has a rating of 9.3. 

The company describes the vulnerability affecting both Workstation and Fusion as “a stack-based buffer-overflow vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine. … “A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.”

The second vulnerability, CVE-2023-20870, which has a 7.1 rating, also affects both products and also contains “an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine.”

VMware’s temporary workaround for both vulnerabilities is to turn off the Bluetooth support on the virtual machine.

The third exploit, CVE-2023-20871, is described as a local privilege escalation vulnerability in VMware Fusion. With a rating of 7.3, the bug allows a malicious actor with read-write access to the host operating system that can elevate privileges to gain root access to the host operating system. 

Finally, the fourth exploit has a rating of 7.7 and affects both Workstation and Fusion. CVE-202320872 contains “an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation.”

The third and fourth bugs can be mitigated by updating the latest versions.

VMware thanked STAR Labs for reporting the vulnerabilities, which were discovered during a Pwn2Own 2023 Security Contest in March.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.