VMware has resolved various security vulnerabilities in its Workstation and Fusion goods. The vulnerabilities, determined as CVE-2023-20869, CVE-2023-20870, CVE-2023-20871 and CVE-2023-20872, have been privately claimed to VMware and have a CVSS v3.x scores in between 7.3 and 9.3.
Just one of the flaws, CVE-2023-20869, is a stack-based mostly buffer overflow vulnerability in the functionality for sharing host Bluetooth gadgets with the virtual device (VM).
“A destructive actor with area administrative privileges on a virtual equipment may exploit this issue to execute code as the digital machine’s VMX system operating on the host,” the firm wrote in a security advisory published on Tuesday.
VMware has evaluated this bug as getting of Critical severity with a optimum CVSS v3.x base rating of 9.3.
A different vulnerability, CVE-2023-20870, is an out-of-bounds browse flaw in the similar Bluetooth operation. VMware has evaluated this vulnerability as Important, with a greatest CVSS v3.x base score of 7.1.
Examine additional on out-of-bounds flaws: TPM 2. Library Vulnerabilities May Have an effect on Billions of IoT Gadgets
CVE-2023-20871, on the other hand, is a community privilege escalation vulnerability in VMware Fusion. VMware has evaluated this vulnerability as Significant, with a optimum CVSS v3.x base rating of 7.3.
Finally, CVE-2023-20872 is an out-of-bounds examine/compose vulnerability in SCSI CD/DVD unit emulation in VMware Workstation and Fusion. VMware has evaluated this bug as currently being of Crucial severity with a maximum CVSS v3.x foundation rating of 7.7.
VMware has released updates and workarounds to remediate these vulnerabilities in the influenced products and solutions.
“Multiple security vulnerabilities in VMware Workstation and Fusion ended up privately claimed to VMware. Updates and workarounds are readily available to remediate these vulnerabilities in the affected VMware goods.”
VMware thanked STAR Labs, doing the job with the Pwn2Possess 2023 Security Contest, for reporting this issue. The patches come a pair of months after the ESXiArgs ransomware attack that infected servers of VMware ESXi hypervisors in February.
Some parts of this article are sourced from:
www.infosecurity-journal.com