Numerous security flaws have been disclosed in VMware Workstation and Fusion items that could be exploited by threat actors to entry sensitive details, induce a denial-of-service (DoS) affliction, and execute code below sure conditions.
The four vulnerabilities impact Workstation versions 17.x and Fusion variations 13.x, with fixes accessible in variation 17.5.2 and 13.5.2, respectively, the Broadcom-owned virtualization products and services company said.
A brief description of just about every of the flaws is down below –
- CVE-2024-22267 (CVSS rating: 9.3) – A use-right after-no cost vulnerability in the Bluetooth product that could be exploited by a destructive actor with area administrative privileges on a digital device to execute code as the digital machine’s VMX system operating on the host
- CVE-2024-22268 (CVSS score: 7.1) – A heap buffer-overflow vulnerability in the Shader features that could be exploited by a malicious actor with non-administrative obtain to a digital equipment with 3D graphics enabled to produce a DoS affliction
- CVE-2024-22269 (CVSS rating: 7.1) – An information and facts disclosure vulnerability in the Bluetooth system that could be exploited by a malicious actor with area administrative privileges on a digital machine to go through privileged info contained in hypervisor memory from a digital machine
- CVE-2024-22270 (CVSS rating: 7.1) – An information disclosure vulnerability in the Host Visitor File Sharing (HGFS) performance that could be exploited by a malicious actor with nearby administrative privileges on a digital device to go through privileged data contained in hypervisor memory from a virtual device
As momentary workarounds right up until the patches can be deployed, customers are advised to switch off the Bluetooth support on the virtual device and disable 3D acceleration aspect. There are no mitigations that handle CVE-2024-22270 other than updating to the hottest version.
It is worth noting that CVE-2024-22267, CVE-2024-22269, and CVE-2024-22270 were initially demonstrated by STAR Labs SG and Theori at the Pwn2Very own hacking contest held in Vancouver previously this March.
The advisory arrives more than two months just after the organization launched patches to tackle 4 security flaws impacting ESXi, Workstation, and Fusion, including two critical flaws (CVE-2024-22252 and CVE-2024-22253, CVSS scores: 9.3/8.4)that could direct to code execution.
Found this article intriguing? Comply with us on Twitter and LinkedIn to study extra exclusive information we write-up.
Some parts of this article are sourced from:
thehackernews.com