To address zero-day vulnerabilities that might be used to achieve code execution on computers using unpatched versions of VMware’s Workstation and Fusion software hypervisors, the company has provided security upgrades.
The first vulnerability (CVE-2023-20869) is a stack-based buffer-overflow vulnerability in the device sharing functionality Bluetooth, which allows local attackers to execute code as a VMX process of the virtual machine running on the host.
The second bug fixed today (CVE-2023-20870) is an information disclosure vulnerability in the Bluetooth host device sharing functionality with the VM, which allows malicious actors read privileged information contained in hypervisor memory from a VM.
For administrators who can’t instantly apply updates for the two issues on their systems, VMware has also given a temporary workaround.
By unchecking the “Share Bluetooth devices with the virtual machine” option on the impacted devices, you may also disable Bluetooth support on the virtual machine to eliminate the attack vector (further information on how to accomplish so can be found here).
Administrators must “remove the CD/DVD device from the virtual machine or configure the virtual machine NOT to use a virtual SCSI controller” to temporarily fix CVE-2023-20872, which prevents exploitation attempts.
The vulnerabilities affect the following product versions:
- VMware Workstation versions 17.0 through 17.0.1
- VMware Fusion versions 13.0 through 13.0.1
Users and administrators of affected product versions are advised to update to the latest versions immediately.