VMware Vulnerabilities in Workstation and Fusion

Virtualization technologies, such as VMware Workstation and Fusion, have become indispensable tools for developers and IT professionals, enabling them to run multiple operating systems simultaneously on a single physical machine. However, as with any software, security vulnerabilities can arise. Four recently discovered security vulnerabilities affect VMware Workstation and Fusion.

  1. CVE-2023-20869: Stack-Based Buffer-Overflow Vulnerability in Bluetooth Device-Sharing Functionality

VMware Workstation and Fusion contain a critical stack-based buffer-overflow vulnerability (CVSSv3 base score of 9.3) in the functionality for sharing host Bluetooth devices with the virtual machine.

An attacker with local administrative privileges on a virtual machine can exploit the CVE-2023-20869 vulnerability to execute code as the VMX process running on the host. This issue is fixed in Workstation 17.0.2 and Fusion 13.0.2.

Would like to thank STAR Labs, working with the Pwn2Own 2023 Security Contest, for reporting this issue.

  1. CVE-2023-20870: Information Disclosure Vulnerability in Bluetooth Device-Sharing Functionality

An out-of-bounds read vulnerability (CVSSv3 base score of 7.1) exists in the Bluetooth device-sharing functionality of VMware Workstation and Fusion.

An attacker with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine. This vulnerability is fixed in Workstation 17.0.2 and Fusion 13.0.2.

VMware would like to thank STAR Labs, working with the Pwn2Own 2023 Security Contest, for reporting this issue.

  1. CVE-2023-20871: VMware Fusion Raw Disk Local Privilege Escalation Vulnerability

VMware Fusion contains a local privilege escalation vulnerability (CVSSv3 base score of 7.3).

An attacker with read/write access to the host operating system can exploit this vulnerability to gain root access to the host operating system. This issue is fixed in Fusion 13.0.2.

VMware would like to thank Beist, Chpie, Silenos, and Jz of LINE Security for reporting this issue.

  1. CVE-2023-20872: Out-of-Bounds Read/Write Vulnerability in SCSI CD/DVD Device Emulation

VMware Workstation and Fusion contain an out-of-bounds read/write vulnerability (CVSSv3 base score of 7.7) in SCSI CD/DVD device emulation.

An attacker with access to a virtual machine that has a physical CD/DVD drive attached and configured to use a virtual SCSI controller can exploit this vulnerability to execute code on the hypervisor from a virtual machine. This vulnerability is fixed in Workstation 17.0.1 and Fusion 13.0.1.

VMware would like to thank Wenxu Yin of 360 Vulnerability Research Institute for reporting this issue.

To mitigate the risks associated with these vulnerabilities, it is highly recommended that users update their VMware Workstation and Fusion installations to the latest fixed versions: Workstation 17.0.2, Fusion 13.0