VMware patches critical vulnerability in Workstation and Fusion
Take action: If you are using VMware Workstation or VMware Fusion, plan to patch. The flaws are not massively critical, and a simple workaround for the most severe one is to disable bluetooth support for the guest OS. But it's still smart to patch because other exploit vectors may also be present.
Learn More
VMware has disclosed multiple security vulnerabilities in its Workstation and Fusion products that could be exploited by threat actors to gain access to sensitive information, trigger a denial-of-service (DoS) condition, and execute code under specific circumstances.
The vulnerabilities affect Workstation versions 17.x and Fusion versions 13.x, with updates available in versions 17.5.2 and 13.5.2, respectively.
-
CVE-2024-22267 (CVSS score: 9.3) a use-after-free vulnerability in the Bluetooth device. It can be exploited by a malicious actor with local administrative privileges on a virtual machine to execute code as the VMX process running on the host.
-
CVE-2024-22268 (CVSS score: 7.1) is a heap buffer-overflow vulnerability in the Shader functionality. It can be exploited by a malicious actor with non-administrative access to a virtual machine with 3D graphics enabled to create a DoS condition.
-
CVE-2024-22269 (CVSS score: 7.1) is a Information disclosure vulnerability in the Bluetooth device. It can be exploited by a malicious actor with local administrative privileges on a virtual machine to read privileged information contained in hypervisor memory from a virtual machine.
-
CVE-2024-22270 (CVSS score: 7.1) is a Information disclosure vulnerability in Host Guest File Sharing (HGFS) functionality. It can be exploited by a malicious actor with local administrative privileges on a virtual machine to read privileged information contained in hypervisor memory from a virtual mache.
Some of the flaws already have PoC, since attacks on CVE-2024-22267, CVE-2024-22269, and CVE-2024-22270 were demonstrated by STAR Labs SG and Theori at the Pwn2Own hacking contest held in Vancouver in March 2024.
As temporary workarounds, users are advised to turn off Bluetooth support on the virtual machine and isable the 3D acceleration feature. There are no mitigations for CVE-2024-22270 other than updating to the latest version.
Users should apply the patches provided in versions 17.5.2 (Workstation) and 13.5.2 (Fusion) to fully mitigate these vulnerabilities.
