Virtualization Technology News and Information
Zero-day vulnerabilities in VMware's Fusion and Workstation addressed in latest patch


Virtualization software is an essential tool for many organizations, allowing them to create virtual environments for testing, development, and other purposes. However, such software is not immune to security vulnerabilities, and recently VMware had to patch critical zero-day vulnerabilities in its Fusion and Workstation virtualization products.

Virtualization and cloud vendor, VMware, has released updates to resolve multiple security flaws impacting its Workstation and Fusion software, the most critical of which could be exploited to allow a local attacker to achieve code execution with high privileges.

Researchers from STAR Labs successfully attacked VMware Workstation in March this year as part of the annual Pwn2Own competition, earning them an $80,000 reward.

It was found that both VMware Fusion and VMware Workstation contain a stack-based buffer overflow vulnerability in its Bluetooth device sharing functionality with the virtual machine.

"A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host," the company said.

The Bluetooth bug, tracked as CVE-2023-20869, is rated as critical with a score of 9.3 out of 10.0 on the Common Vulnerabilities Scoring System version 3.

Also patched by VMware is an out-of-bounds read vulnerability affecting the same feature, tracked as CVE-2023-20870, with a score of 7.1 out of 10.0. This flaw could be abused by a local adversary with administator privileges to read sensitive information contained in hypervisor memory from a virtual machine.

A quick workaround to address these flaws would be to turn off Bluetooth support on virtual machines by unchecking the "Share Bluetooth devices with the virtual machine" option on the impacted devices. More info on this can be found in this VMware Knowledge base article.

Otherwise, the main fix is for users to upgrade Workstation to version 17.0.2 and Fusion to version 13.0.2.  

VMware has also patched two additional shortcomings, which include a local privilege escalation flaw, CVE-2023-20871 with a CVSS score of 7.3 out of 10.0, in Fusion, and an out-of-bounds read/write vulnerability, CVE-2023-20872, with a CVSS score of 7.7 out of 10.0.

CVE-2023-20871 is a high-severity VMware Fusion Raw Disk local privilege escalation vulnerability that can be abused by attackers with read/write access to the host operating system to escalate privileges and gain root access to the host OS. CVE-2023-20872 is described as "an out-of-bounds read/write vulnerability" in the SCSI CD/DVD device emulation which impacts both Workstation and Fusion products. This can be exploited by local attackers with access to VMs with a physical CD/DVD drive attached and configured to use a virtual SCSI controller to gain code execution on the hypervisor from the VM.

A temporary CVE-2023-20872 workaround that blocks exploitation attempts requires administrators "to remove the CD/DVD device from the virtual machine or configure the virtual machine NOT to use a virtual SCSI controller."

While virtualization software can be a powerful tool for organizations, it is important to remember that security vulnerabilities can be exploited. Applying security patches as soon as they become available is critical to mitigate the risk of a security breach and protect sensitive data from unauthorized access.

And once again, in this case, organizations using VMware's Fusion and Workstation products should apply the patch as soon as possible to ensure the security of their virtualized environments.

Published Wednesday, April 26, 2023 10:17 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2023>