View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

VMware releases patches for two serious flaws in Workstation and Fusion hypervisors

An update has been issued by the software company to help protect its customers after the flaws were discovered last month.

By Claudia Glover

VMware has released patches to two serious vulnerabilities in its Workstation and Fusion hypervisors. One of the flaws could allow a hacker to make an arbitrary code execution, where the attacker can make dangerous changes to a system remotely.

VMware releases patches to two vulnerabilities in its hypervisors. (Photo by possohh/Shutterstock)

The flaws were uncovered during the Pwn2Own 2023 Security Contest by Singapore security company Star Labs.

VMware releases patches for flaws in Workstation and Fusion hypervisors

VMware Workstation is a type two hypervisor for Windows and Linux, while VMware Fusion is the equivalent product for macOS users.

The company has released an advisory disclosing the vulnerabilities and their origins. The most serious, CVE-2023-20869, is described as a stack-based buffer-overflow vulnerability that resides in the functionality for sharing host Bluetooth devices with the virtual machine.

The vulnerability has been given a CVSS score of 9.3, meaning it is classified as a critical vulnerability.

“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” the advisory reads.

The second flaw, CVE-2023-20870, was an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine, states the advisory. This flaw received a score of 7.1.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

A hacker could “read privileged information contained in hypervisor memory from a virtual machine,” if they exploited this flaw, the company has said.

As a temporary workaround for CVE-2023-20869 and CVE-2023-20870, VMware is suggesting that users turn off Bluetooth support on the virtual machine.

The researchers who uncovered the flaws during Pwn2Own, a hacking contest in Vancouver held in March, earned $80,000.

Previous flaw in VMware hypervisors

Flaws in VMware hypervisors have had devastating consequences in the past. Earlier this year ransomware designed to target a years-old vulnerability in a VMware hypervisor called ESXi resulted in a wave of ransomware attacks that struck servers belonging to Florida’s Supreme Court, as well as several universities in the US and Central Europe, tracked at the time by ransomware payment tracker Ransomwhere.

The perpetrators used the vulnerability to attack more than 3,800 victims, including the Georgia Institute of Technology and Rice University in Houston, as well as other such institutions in Hungary and Slovakia.

US cyber defence agency CISA released a workaround in a bid to help the mounting victims that was then thwarted by the perpetrators. A decryption key was released by the agency on Github but the criminals tweaked the code to continue to victimise a further 500 European organisations.

Read more: VMware VSphere+ accelerates transition to SaaS

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.