VMSA-2023-0008:VMware Workstation and Fusion updates address multiple security vulnerabilities

VMware Tanzu Application Service

0 more products

23670

23 April 2023

23 April 2023

CLOSED

CRITICAL

7.3-9.3

CVE-2023-20869,CVE-2023-20870,CVE-2023-20871,CVE-2023-20872

VMSA-2023-0008
7.3-9.3
2023-04-25
2023-04-25 (Initial Advisory)
CVE-2023-20869, CVE-2023-20870, CVE-2023-20871, CVE-2023-20872
VMware Workstation and Fusion updates address multiple security vulnerabilities (CVE-2023-20869, CVE-2023-20870, CVE-2023-20871, CVE-2023-20872)
1. Impacted Products
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion   
2. Introduction

Multiple security vulnerabilities in VMware Workstation and Fusion were privately reported to VMware. Updates and workarounds are available to remediate these vulnerabilities in the affected VMware products.

3a. Stack-based buffer-overflow vulnerability in bluetooth device-sharing functionality (CVE-2023-20869)

Description

VMware Workstation and Fusion contain a stack-based buffer-overflow vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Resolution

To remediate CVE-2023-20869 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2023-20869 have been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank STAR Labs, working with the Pwn2Own 2023 Security Contest, for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Workstation
17.x
Any
CVE-2023-20869
critical
17.0.2
None
Fusion
13.x
OS X
CVE-2023-20869
critical
13.0.2
None
3b. Information disclosure vulnerability in bluetooth device-sharing functionality (CVE-2023-20870)

Description

VMware Workstation and Fusion contain an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.

Resolution

To remediate CVE-2023-20870 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2023-20870 have been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank STAR Labs, working with the Pwn2Own 2023 Security Contest, for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Workstation
17.x
Any
CVE-2023-20870
important
17.0.2
None
Fusion
13.x
OS X
CVE-2023-20870
important
13.0.2
None
3c. VMware Fusion Raw Disk local privilege escalation vulnerability (CVE-2023-20871)

Description

VMware Fusion contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.

Known Attack Vectors

A malicious actor with read/write access to the host operating system can elevate privileges to gain root access to the host operating system.

Resolution

To remediate CVE-2023-20871 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Beist, Chpie, Silenos, and Jz of LINE Security for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Fusion
13.x
OS X
CVE-2023-20871
important
13.0.2
None
None
3d. Out-of-bounds read/write vulnerability (CVE-2023-20872)

Description

VMware Workstation and Fusion contain an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.7.

Known Attack Vectors

A malicious attacker with access to a virtual machine that has a physical CD/DVD drive attached and configured to use a virtual SCSI controller may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine.

Resolution

To remediate CVE-2023-20872 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2023-20872 have been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Notes

Successful exploitation of this issue requires a physical CD/DVD drive attached to the virtual machine configured to use a virtual SCSI controller.

Acknowledgements

VMware would like to thank Wenxu Yin of 360 Vulnerability Research Institute for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Workstation
17.x
Any
CVE-2023-20872
important
17.0.1
None
Fusion
13.x
OS X
CVE-2023-20872
important
13.0.1
None
4. References
5. Change Log

2023-04-25 VMSA-2023-0008
Initial security advisory.

6. Contact

E-mail: [email protected]

PGP key at:
https://kb.vmware.com/kb/1055 

VMware Security Advisories
https://www.vmware.com/security/advisories 

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  
https://blogs.vmware.com/security 

Twitter
https://twitter.com/VMwareSRC

Copyright 2023 VMware Inc. All rights reserved.