EXECUTIVE SUMMARY
Multiple security vulnerabilities have been uncovered in VMware Workstation and Fusion products, potentially exposing users to various risks, including unauthorized access to sensitive data, denial-of-service attacks, and code execution. These vulnerabilities affect Workstation versions 17.x and Fusion versions 13.x.
One of the identified flaws is CVE-2024-22267, a use-after-free vulnerability in the Bluetooth device. Exploiting this vulnerability could allow a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host.
Another vulnerability, CVE-2024-22268, involves a heap buffer-overflow in Shader functionality. A malicious actor with non-administrative access to a virtual machine with 3D graphics enabled could exploit this flaw to create a denial-of-service condition.
CVE-2024-22269 is an information disclosure vulnerability in the Bluetooth device. Exploiting this vulnerability could enable a malicious actor with local administrative privileges on a virtual machine to read privileged information contained in hypervisor memory.
Similarly, CVE-2024-22270 is an information disclosure vulnerability, this time affecting the Host Guest File Sharing (HGFS) functionality. A malicious actor with local administrative privileges on a virtual machine could exploit this flaw to read privileged information contained in hypervisor memory.
Users are urged to update their software to the latest versions, as temporary workarounds such as disabling Bluetooth support and 3D acceleration may not fully mitigate the risks.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://thehackernews.com/2024/05/vmware-patches-severe-security-flaws-in.html