VMware has released patches to two serious vulnerabilities in its Workstation and Fusion hypervisors. One of the flaws could allow a hacker to make an arbitrary code execution, where the attacker can make dangerous changes to a system remotely.
The flaws were uncovered during the Pwn2Own 2023 Security Contest by Singapore security company Star Labs.
VMware releases patches for flaws in Workstation and Fusion hypervisors
VMware Workstation is a type two hypervisor for Windows and Linux, while VMware Fusion is the equivalent product for macOS users.
The company has released an advisory disclosing the vulnerabilities and their origins. The most serious, CVE-2023-20869, is described as a stack-based buffer-overflow vulnerability that resides in the functionality for sharing host Bluetooth devices with the virtual machine.
The vulnerability has been given a CVSS score of 9.3, meaning it is classified as a critical vulnerability.
“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” the advisory reads.
The second flaw, CVE-2023-20870, was an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine, states the advisory. This flaw received a score of 7.1.
A hacker could “read privileged information contained in hypervisor memory from a virtual machine,” if they exploited this flaw, the company has said.
As a temporary workaround for CVE-2023-20869 and CVE-2023-20870, VMware is suggesting that users turn off Bluetooth support on the virtual machine.
The researchers who uncovered the flaws during Pwn2Own, a hacking contest in Vancouver held in March, earned $80,000.
Previous flaw in VMware hypervisors
Flaws in VMware hypervisors have had devastating consequences in the past. Earlier this year ransomware designed to target a years-old vulnerability in a VMware hypervisor called ESXi resulted in a wave of ransomware attacks that struck servers belonging to Florida’s Supreme Court, as well as several universities in the US and Central Europe, tracked at the time by ransomware payment tracker Ransomwhere.
The perpetrators used the vulnerability to attack more than 3,800 victims, including the Georgia Institute of Technology and Rice University in Houston, as well as other such institutions in Hungary and Slovakia.
US cyber defence agency CISA released a workaround in a bid to help the mounting victims that was then thwarted by the perpetrators. A decryption key was released by the agency on Github but the criminals tweaked the code to continue to victimise a further 500 European organisations.