VMware fixes critical flaws in virtualization software (CVE-2023-20869, CVE-2023-20870)
VMware has fixed one critical (CVE-2023-20869) and three important flaws (CVE-2023-20870, CVE-2023-20871, CVE-2023-20872) in its VMware Workstation and Fusion virtual user session software.
The former allows users to run multiple x86-based operating systems on one PC, while the latter runs Windows, Linux and other apps on Macs without having to reboot.
CVE-2023-20869 and CVE-2023-20870 were exploited together by STAR Labs researchers in March, on the third day of the Pwn2Own 2023 hacking contest held in Vancouver.
About the vulnerabilities
As explained by VMware, CVE-2023-20869 is a critical stack-based buffer-overflow vulnerability in the functionality for sharing host Bluetooth devices with the virtual machine, which allows a malicious actor with local administrative privileges to execute code as the virtual machine’s VMX process running on the host.
CVE-2023-20870 is an out-of-bounds read vulnerability that exists in the same functionality, and may allow a malicious actor with local administrative privileges on a virtual machine to read privileged information contained in hypervisor memory.
CVE-2023-20871 – a local privilege escalation vulnerability – only affects VMware Fusion, and may allow a malicious actor with read/write access to the host OS to gain root access.
CVE-2023-20872 is an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation, and may enable a malicious actor to execute code on the hypervisor from a virtual machine. To exploit it, the attacker must have access to a virtual machine with a physical CD/DVD drive attached and configured to use a virtual SCSI controller.
The first two vulnerabilities have been reported to VMware via Trend Micro’s Zero Day Initiative (the organizers of the Pwn2Own contest). The other two were reported directly to VMware by the researchers who discovered them.
The Zero Day Initiative generally releases technical details of bugs exploited at Pwn2Own 90 days after the tournament.
Remediation
The vulnerabilities affect VMware Workstation Pro v17.x and VMware Fusion v13.x.
To remediate, admins should update to the fixed versions:
- VMware Workstation Pro 17.0.2
- VMware Fusion 13.0.2
Workarounds are also available far all but CVE-2023-20871:
- For CVE-2023-20869 and CVE-2023-20870 – turn off Bluetooth support on the virtual machine
- For CVE-2023-20872 – remove the CD/DVD device from the virtual machine or configure VM not to use the SCSI controller.
Earlier this week VMware has patched two vulnerabilities in its VMware Aria Operations for Logs.