To address zero-day vulnerabilities that might be used to achieve code execution on computers using unpatched versions of VMware’s Workstation and Fusion software hypervisors, the company has provided security upgrades.
On the second day of the Pwn2Own Vancouver 2023 hacking competition, the security researchers from the STAR Labs team demonstrated an attack chain that included the two bugs. Before Trend Micro’s Zero Day Initiative publishes technical information, vendors have 90 days to fix the zero-day issues that were exploited and revealed during Pwn2Own.
The first vulnerability, CVE-2023-20869, is a stack-based buffer overflow flaw in the Bluetooth device-sharing capability that enables local attackers to run code as the virtual machine’s VMX process runs on the host.
The second flaw fixed today (CVE-2023-20870) allows malicious actors to read privileged information from a VM’s hypervisor memory and is a vulnerability in the capabilities for sharing host Bluetooth devices with the VM. For administrators who can’t instantly apply updates for the two issues on their systems, VMware has also given a temporary workaround.
By unchecking the “Share Bluetooth devices with the virtual machine” option on the impacted devices, you may also disable Bluetooth support on the virtual machine to eliminate the attack vector (further information on how to accomplish so can be found here).
Today, the business fixed two further security holes that affected the hosted hypervisors for VMware Workstation and Fusion. Attackers with read/write access to the host operating system can use the high-severity CVE-2023-20871 vulnerability to escalate privileges and achieve root access to the host operating system.
The SCSI CD/DVD device emulation is affected by a fourth problem (identified as CVE-2023-20872) that is referred to as “an out-of-bounds read/write vulnerability” and affects both Workstation and Fusion products.
To get code execution on the hypervisor from a VM, local attackers can access VMs that have a physical CD/DVD drive attached and are set up to use a virtual SCSI controller.
Administrators must “remove the CD/DVD device from the virtual machine or configure the virtual machine NOT to use a virtual SCSI controller” to temporarily fix CVE-2023-20872, which prevents exploitation attempts.
Additionally, a major vRealize Log Insight flaw that might allow unauthenticated attackers to execute code on susceptible appliances was addressed by VMware last week.
Conclusion
Upgrades have closed many security gaps in VMware’s Workstation and Fusion software, including one that might let a local attacker execute malware. Sharing host Bluetooth devices with the virtual machine has a stack-based buffer overflow vulnerability, CVE-2023-20869 (CVSS score: 9.3). The company said a hostile actor with local administrative rights on a virtual machine might exploit this weakness to run applications as the host’s VMX process. VMware also fixed a related out-of-bounds read issue (CVE-2023-20870, CVSS score: 7.1). A local attacker with admin privileges may have read sensitive data from a virtual machine’s hypervisor memory. STAR Labs exploited both vulnerabilities on the third day of the Pwn2Own hacking competition in Vancouver last month, winning $80,000.
VMware also patched a Fusion local privilege escalation vulnerability (CVE-2023-20871, CVSS score: 7.3) and a SCSI CD/DVD device emulation out-of-bounds read/write vulnerability (CVE-2023-20872, 7.7). Fusion 13.0.2 and Workstation 17.0.2 resolve issues. VMware recommends temporarily disabling Bluetooth on virtual machines to fix CVE-2023-20869 and 20870. Mitigating CVE-2023-20872 requires removing the virtual machine’s CD/DVD drive or disabling the virtual SCSI controller. The virtualization services provider addressed a severe deserialization problem in multiple Aria Operations for Logs versions (CVE-2023-20864, CVSS score: 9.8) a week before development.
