VMware has recently issued security updates to tackle zero-day vulnerabilities, which could be linked to enable code execution on systems running unpatched versions of the company’s Workstation and Fusion software hypervisors. These vulnerabilities were demonstrated by STAR Labs team’s security researchers during the Pwn2Own Vancouver 2023 hacking contest just a month ago.
Addressing the flaws and temporary workarounds
The first vulnerability (CVE-2023-20869) is a stack-based buffer-overflow issue in Bluetooth device-sharing functionality. This allows local attackers to execute code as the virtual machine’s VMX process operating on the host. The second bug (CVE-2023-20870) is an information disclosure weakness related to sharing host Bluetooth devices with the VM. This enables malicious actors to read privileged information in the hypervisor memory from a VM.
VMware also offers a temporary workaround for administrators who cannot immediately deploy patches for these two flaws on their systems. By turning off Bluetooth support on the virtual machine and unchecking the “Share Bluetooth devices with the virtual machine” option on impacted devices, the attack vector can be removed.
Additional security flaws addressed
VMware has addressed two more security flaws affecting the Workstation and Fusion hosted hypervisors. CVE-2023-20871 is a high-severity VMware Fusion Raw Disk local privilege escalation vulnerability that can be exploited by attackers with read/write access to the host operating system. This would allow them to escalate privileges and gain root access to the host OS.
A fourth bug (tracked as CVE-2023-20872), an out-of-bounds read/write vulnerability in the SCSI CD/DVD device emulation, impacts both Workstation and Fusion products. This can be exploited by local attackers with access to VMs with a physical CD/DVD drive attached and configured to use a virtual SCSI controller, allowing them to gain code execution on the hypervisor from the VM.
For CVE-2023-20872, a temporary workaround requires administrators to remove the CD/DVD device from the virtual machine or configure it not to use a virtual SCSI controller, effectively blocking exploitation attempts.
Recently, VMware also patched a critical vRealize Log Insight vulnerability that could allow unauthenticated attackers to gain remote execution on vulnerable appliances.
{{user}} {{datetime}}
{{text}}