Critical VMware Vulnerabilities: Risk of Random Code Execution

VMware Workstation, Workstation Pro and Fusion are subject to several privately reported and fixed bugs. VMware has published a security advisory on the critical bugs discovered and their temporary fixes.

CVE(s):

• CVE-2023-20869 – Security vulnerability related to stack-based buffer overflow in Bluetooth device sharing functionality
• CVE-2023-20870 – Security vulnerability related to information disclosure in Bluetooth device sharing functionality
• CVE-2023-20871 – VMware Fusion Raw Disk security vulnerability related to local authority escalation
• CVE-2023-20872 – Security leak related to read/write out of range.

The severity of these CVEs ranged from 7.1 to 9.3. However, VMware has released a patch for all affected versions.

CVE-2023-20869 – Security vulnerability related to stack-based buffer overflow in Bluetooth device sharing functionality

CVSS score
: 9,3

To take advantage of this, a threat actor must have local administrator privileges on the virtual machine. Exploitation leads to code execution using VMware’s VMX process on the host computer.

Products in which this problem occurs and fixed versions

• VMware Workstation Pro / Player (Workstation) – Resolved in 17.0.2
• VMware Fusion – Resolved in 13.0.2

CVE-2023-20870 – Security vulnerability related to information disclosure in Bluetooth device sharing functionality

CVSS score
: 7,1

To take advantage of this, a threat actor must have local administrator privileges on the virtual machine. Exploitation leads to reading privileged information on VMware’s hypervisor memory used to isolate virtual machines from each other. This memory includes CPU usage, operating system on the virtual machine, memory usage and more.

Products in which this problem occurs and fixed versions

• VMware Workstation Pro / Player (Workstation) – Resolved in 17.0.2
• VMware Fusion – Resolved in 13.0.2

CVE-2023-20871 – VMware Fusion Raw Disk security vulnerability related to local authority escalation

CVSS score
: 7,3

To take advantage of this, a threat actor must have read/write access to the host computer. Misuse leads to obtaining root access to the host operating system.

Products in which this problem occurs and fixed versions

• VMware Fusion – Resolved in 13.0.2

CVE-2023-20872 – Security leak related to read/write out of range.

CVSS score
: 7,1

To take advantage of this, a threat actor must have a virtual machine to which a physical CD/DVD drive is connected and a SCSI controller configured with the host computer. Exploitation leads to the execution of code in VMware’s hypervisor memory from the virtual machine. The threat actor does not require local administrator privileges for this security vulnerability.

Products in which this problem occurs and fixed versions

• VMware Workstation Pro / Player (Workstation) – Resolved in 17.0.1
• VMware Fusion – Resolved in 13.0.1

For more information on these CVEs, visit VMware’s security advisory.

Moreover, two of these vulnerabilities (CVE-2023-20869, CVE-2023-20870) were initially discovered and reported by STAR Labs at the Pwn2Own 2023 held in Vancouver in March 2023. The reward for these zero days was $80,000.

Source: gbhackers