VMware has released updates to address several vulnerabilities in Workstation and Fusion. Among the bugs, a 0-day issue was fixed, which was discovered by experts during the Pwn2Own Vancouver 2023 hacker competition and allowed a local attacker to execute arbitrary code. The most serious issue was CVE-2023-20869 (9.3 on the CVSS scale), which was first demonstrated on Pwn2Own. It is described as a stack buffer overflow vulnerability found in the Bluetooth host device sharing feature with a virtual machine. An attacker with local administrator privileges on a virtual machine could exploit this issue to execute code as a VMX process of a virtual machine running on a host, according to the developers.
In addition, VMware also fixed an out-of-bounds read vulnerability affecting the same function (CVE-2023-20870, 7.1 CVSS score). A local attacker with administrator rights could use this to read sensitive information contained in the hypervisor’s memory. Both vulnerabilities were demonstrated by researchers from the STAR Labs team at the Pwn2Own hacking competition held in Vancouver last month, earning them an $80,000 reward.
If patching is not possible, VMware has shared a workaround for exploitation protection CVE-2023-20869. Users can disable Bluetooth support on the virtual machine by unchecking “Share Bluetooth devices with the virtual machine” on the affected devices.
In addition to these vulnerabilities, the company fixed two other issues affecting VMware Workstation and Fusion hypervisors. The first of these, CVE-2023-20871, is a local privilege escalation vulnerability in VMware Fusion Raw Disk. It could be used by attackers with read/write access to the host operating system to elevate privileges and gain root access to the OS. The second bug (CVE-2023-20872) is an out-of-bounds read/write vulnerability in the SCSI CD/DVD emulator. This bug affected both Workstation and Fusion products. It could be exploited by local attackers with access to a VM with a physical CD/DVD drive connected and configured to use SCSI, allowing them to execute arbitrary code in the hypervisor.
