Overview – New Security Updates for VMware Products

A recent VMware announcement contains security updates for various flaws found in the company’s products. The security vulnerabilities impact VMware Workstation Pro/Payer and VMware Fusion products. All flaws were privately reported to VMware.

VMware Zero-Day Security Updates

Two of these flaws are zero-day vulnerabilities known as CVE-2023-20869 and CVE-2023-20870. Initially, they were part of an exploit chain STAR Labs security researchers performed during a hacking contest at Pwn2Own Vancouver 2023. The vulnerabilities allow attackers to gain code execution systems running unpatched versions of VMware Workstation and VMware Fusion software hypervisors.

The first of the two, CVE-2023-20869, is a stack-based buffer overflow vulnerability within any Bluetooth device-sharing functionality that allows a local attacker to execute code as the VMware VMX process runs.

Following, there is CVE-2023-20870. CVE-2023-20870 is an information disclosure weakness within the Bluetooth device-sharing functionality within the VM. So, it enables malicious attackers to read any privileged information within the hypervisor memory of the VM. To remove the attack vector for these two vulnerabilities, you can turn off the Bluetooth support on the VM by unchecking the “Share Bluetooth devices with the virtual machine” option on any impacted device.

Other VMware Product Updates

Additionally, VMware’s announcement addresses two more security flaws affecting VMware Workstation and Fusions-hosted hypervisors.

One of these flaws, CVE-2023-20871, is a high-severity VMware Fusion Raw Disk vulnerability. It enables attackers with read/write access to the host operating system to use the flaw’s local privilege escalation capabilities to gain root access to the host OS.

Finally, the last of the four bugs is CVE-2023-20872. This out-of-bounds read/write vulnerability in the SCSI CD/DVD device emulation impacts both VMware Workstation and VMware Fusion products. In this case, the bug can temporarily block exploitative functions. It does this by requiring admins to remove the CD/DVD device from the virtual machine or by configuring the virtual machine not to use a virtual SCSI controller.

At this time, there are no complete fixes for these four vulnerabilities, just temporary workarounds. However, staying current on patches and the most recent versions of all devices, software, and applications is crucial.

Click here for instructions for turning off Bluetooth functions on VMware Workstation Pro, Workstation Player, and VMware Fusion.

For instructions on removing the CD/DVD device or configuring the VM to not use a virtual SCSI controller for VMware Workstation and Fusion, click here.

As a Managed Service Provider (MSP) and Managed Security Service Provider (MSSP), we specialize in providing customizable IT solutions and cybersecurity services for businesses in New York State. So, if you need assistance maintaining the security of your IT infrastructure, contact us today.

Sources

https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-zero-day-exploit-chain-used-at-pwn2own/

https://www.vmware.com/security/advisories/VMSA-2023-0008.html

https://www.helpnetsecurity.com/2023/04/26/cve-2023-20869-cve-2023-20870/