Multiple security flaws have been revealed in VMware Workstation and Fusion products that could be exploited by attackers to access sensitive information, create a denial-of-service (DoS) situation, and execute code under specific conditions.
The four vulnerabilities impact Workstation versions 17.x and Fusion versions 13.x, with fixes available in version 17.5.2 and 13.5.2, respectively, the Broadcom-owned virtualization services provider said.
A brief description of each of the flaws is below –
- CVE-2024-22267 (CVSS score: 9.3) – A use-after-free vulnerability in the Bluetooth device that could be exploited by a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine’s VMX process running on the host
- CVE-2024-22268 (CVSS score: 7.1) – A heap buffer-overflow vulnerability in the Shader functionality that could be exploited by a malicious actor with non-administrative access to a virtual machine with 3D graphics enabled to create a DoS condition
- CVE-2024-22269 (CVSS score: 7.1) – An information disclosure vulnerability in the Bluetooth device that could be exploited by a malicious actor with local administrative privileges on a virtual machine to read privileged information contained in hypervisor memory from a virtual machine
- CVE-2024-22270 (CVSS score: 7.1) – An information disclosure vulnerability in the Host Guest File Sharing (HGFS) functionality that could be exploited by a malicious actor with local administrative privileges on a virtual machine to read privileged information contained in hypervisor memory from a virtual machine
As interim measures until the updates can be installed, users are advised to disable Bluetooth support on the virtual machine and turn off the 3D acceleration feature. There are no mitigations available for CVE-2024-22270 other than upgrading to the latest version.
It’s important to note that CVE-2024-22267, CVE-2024-22269, and CVE-2024-22270 were initially demonstrated by STAR Labs SG and Theori at the Pwn2Own hacking contest held in Vancouver earlier this March.
The advisory comes more than two months after the company released patches to address four security flaws affecting ESXi, Workstation, and Fusion, including two critical flaws (CVE-2024-22252 and CVE-2024-22253, CVSS scores: 9.3/8.4) that could result in code execution.