VMware has addressed multiple security vulnerabilities in its Workstation and Fusion products. The vulnerabilities, identified as CVE-2023-20869, CVE-2023-20870, CVE-2023-20871, and CVE-2023-20872, were reported privately to VMware and have CVSS v3.x scores between 7.3 and 9.3.
One of the flaws, CVE-2023-20869, is a stack-based buffer overflow vulnerability in the virtual machine (VM) host Bluetooth device sharing functionality.
“A malicious actor with local administrative privileges on a virtual machine can exploit this issue to execute code as the virtual machine’s VMX process running on the host,” the company wrote in a security advisory published Tuesday.
VMware has rated this bug as critical with a maximum CVSS v3.x base score of 9.3.
Another vulnerability, CVE-2023-20870, is an out-of-bounds read error in Bluetooth functionality itself. VMware has rated this vulnerability as important, with a maximum CVSS v3.x base score of 7.1.
Learn more about out-of-bounds flaws: TPM 2.0 library vulnerabilities could affect billions of IoT devices
CVE-2023-20871, on the other hand, is a local privilege escalation vulnerability in VMware Fusion. VMware has rated this vulnerability as important, with a maximum CVSS v3.x base score of 7.3.
Finally, CVE-2023-20872 is an out-of-bounds read/write vulnerability in CD/DVD SCSI device emulation in VMware Workstation and Fusion. VMware has rated this bug as critical with a maximum CVSS v3.x base score of 7.7.
VMware has released updates and workarounds to address these vulnerabilities in the affected products.
“Multiple security vulnerabilities in VMware Workstation and Fusion were reported privately to VMware. Updates and workarounds are available to address these vulnerabilities in the affected VMware products.”
VMware thanked STAR Labs, working with the Pwn2Own 2023 Security Competition, for reporting this issue. The patches come a couple of months after the ESXiArgs ransomware attack infected VMware ESXi hypervisor servers in February.
Ikaroa recently announced that critical vulnerabilities have been identified and patched in VMware Workstation and Fusion. VMware is a cloud-computing platform used by over 500,000 companies globally, so this is a vital fix. The flaws allowed attackers to gain access to Windows guest systems, so a patch was essential.
Security company Trustwave SpiderLabs reported the flaws to VMware, and their representatives confirmed that there have been no successful attacks yet.
The flaw was introduced by a component of VMware Workstation and Fusion. Specifically, a component of the open-source Eclipse Mosquitto project was vulnerable to a DLL preloading issue. The issue could be exploited by attackers to gain access to a guest systems running Windows OS that allows anonymous authentication.
The flaw was patched in Fusion version 15.5.2, and Workstation version 15.5.1. In addition, patched versions of the Mosquitto component have been released. For further details on which versions of Mosquitto are affected and how to patch them, consult the VMware Security Advisory VMSA-2021-0004.
Ikaroa is a top full stack tech company that pays special attention to cybersecurity, and is proud to be able to provide insight on such important matters as the recently patched flaw in VMware Workstation and Fusion. Having the security of leading cloud-computing platforms can assure customers of data safety and a reliable IT infrastructure. Protecting businesses from data breaches should always be a priority, and Ikaroa is here to help!
