VMware released security updates and workarounds on April 25 for vulnerabilities in two of its products, one of which could lead to remote code execution.
The security vulnerabilities were privately reported to VMware and affect its Workstation and Fusion software products, the most critical is CVE-2023-20869, which has a rating of 9.3.
The company describes the vulnerability affecting both Workstation and Fusion as “a stack-based buffer-overflow vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine. … “A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.”
The second vulnerability, CVE-2023-20870, which has a 7.1 rating, also affects both products and also contains “an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine.”
VMware’s temporary workaround for both vulnerabilities is to turn off the Bluetooth support on the virtual machine.
The third exploit, CVE-2023-20871, is described as a local privilege escalation vulnerability in VMware Fusion. With a rating of 7.3, the bug allows a malicious actor with read-write access to the host operating system that can elevate privileges to gain root access to the host operating system.
Finally, the fourth exploit has a rating of 7.7 and affects both Workstation and Fusion. CVE-202320872 contains “an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation.”
The third and fourth bugs can be mitigated by updating the latest versions.
VMware thanked STAR Labs for reporting the vulnerabilities, which were discovered during a Pwn2Own 2023 Security Contest in March.Video link