VMware

Update now: Critical flaw in VMWare Fusion and VMWare Workstation

Four vulnerabilities in virtualisation software have been fixed by VMware, including two which were exploited at the 20223 Pwn2Own contest. Three have been given the severity rating “Important”, with the last (CVE-2023-20869) is classed as “Critical”.

The four vulnerabilities are:

  • CVE-2023-20869 is “Critical” flaw that affects Fusion and Workstation. It is a stack-based buffer overflow issue in the functionality for sharing host Bluetooth devices with the virtual machine. As per the advisory, “A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.” Needless to say, guest VMs are not supposed to be able to make the host machines they’re running on do things.
  • CVE-2023-20870 is an “Important” flaw that affects Fusion and Workstation. It’s another issue in the functionality for sharing host Bluetooth devices, but with this one an attacker can potentially read privileged information stored in the virtual machine’s hypervisor memory.
  • CVE-2023-20871 is an “Important” flaw that only affects Fusion. It allows an attacker who has read / write access to the host operating system to elevate their privileges to gain root access to the host operating system.
  • CVE-2023-20872 is an “Important” flaw that affects Fusion and Workstation. It allows virtual machines with a physical CD/DVD drive attached to execute code on the hypervisor, if the drive is configured to use a virtual SCSI controller.

Workarounds and updates

All four issues can be addressed by updating to the latest version of the affected software. At the time of writing these are VMware Fusion 13.0.2 and VMware Workstation 17.0.2. Workarounds are available for CVE-2023-20869, CVE-2023-20870, and CVE-2023-20872.

CVE-2023-20869 and CVE-2023-20870 can be mitigated by turning off Bluetooth support by unchecking the “Share Bluetooth devices with the virtual machine” option. The relevant support documents for each product are VMware Workstation Pro, VMware Workstation Player, and VMware Fusion.

CVE-2023-20872 can be mitigated by removing the CD/DVD device from the virtual machine. Alternatively, you can configure the virtual machine so that it does not use a virtual SCSI controller. After shutting down the virtual machine, the steps are:

To remove the CD/DVD device in VMWare Workstation:

  • Select VM > Settings
  • Click the Hardware tab
  • Select the CD/DVD and click Remove

To remove the CD/DVD device in VMWare Fusion:

  • Select a virtual machine in the Virtual Machine Library window
  • Click on Virtual Machine menu
  • Click Settings
  • Under Removable Devices in the Settings window, select CD/DVD > Advanced Options > Remove CD/DVD Drive.

To configure VMWare Workstation not to use a virtual SCSI controller:

  • Select VM > Settings
  • Click the Hardware tab
  • Select the CD/DVD > Advanced > CD/DVD Advanced Settings > Virtual device node
  • You can configure the Bus type

To configure VMWare Fusion not to use a virtual SCSI controller:

  • Select a virtual machine in the Virtual Machine Library window
  • Click on Virtual Machine menu
  • Click on Settings
  • Under Removable Devices in the Settings window, Select CD/DVD > Advanced options > Bus type
  • You can configure the Bus type.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.