VMware has released updates to resolve multiple security flaws impacting its Workstation and Fusion software, the most critical of which could allow a local attacker to achieve code execution.
The vulnerability, tracked as CVE-2023-20869 (CVSS score: 9.3), is described as a stack-based buffer-overflow vulnerability that resides in the functionality for sharing host Bluetooth devices with the virtual machine.
“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” the company said.
Also patched by VMware is an out-of-bounds read vulnerability affecting the same feature (CVE-2023-20870, CVSS score: 7.1), that could be abused by a local adversary with admin privileges to read sensitive information contained in hypervisor memory from a virtual machine.
Both vulnerabilities were demonstrated by researchers from STAR Labs on the third day of the Pwn2Own hacking contest held in Vancouver last month, earning them an $80,000 reward.
VMware has also patched two additional shortcomings, which include a local privilege escalation flaw (CVE-2023-20871, CVSS score: 7.3) in Fusion and an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation (CVE-2023-20872, CVSS score: 7.7).
While the former could enable a bad actor with read/write access to the host operating system to obtain root access, the latter could result in arbitrary code execution.
“A malicious attacker with access to a virtual machine that has a physical CD/DVD drive attached and configured to use a virtual SCSI controller may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine,” VMware said.
The flaws have been addressed in Workstation version 17.0.2 and Fusion version 13.0.2. As a temporary workaround for CVE-2023-20869 and CVE-2023-20870, VMware is suggesting that users turn off Bluetooth support on the virtual machine.
As for mitigating CVE-2023-20872, it’s advised to remove the CD/DVD device from the virtual machine or configure the virtual machine not to use a virtual SCSI controller.
The development comes less than a week after the virtualization services provider fixed a critical deserialization flaw impacting multiple versions of Aria Operations for Logs (CVE-2023-20864, CVSS score: 9.8).