VMSA-2023-0022:VMware Fusion and Workstation updates address privilege escalation and information disclosure vulnerabilities
23676
17 October 2023
18 October 2023
CLOSED
HIGH
6.6-7.1
CVE-2023-34044,CVE-2023-34045,CVE-2023-34046
1. Impacted Products
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion
2. Introduction
Multiple security vulnerabilities in VMware Workstation and Fusion were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in the affected VMware products.
3a. Information disclosure vulnerability in bluetooth device-sharing functionality (CVE-2023-34044)
Description
VMware Workstation and Fusion contain an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.
Known Attack Vectors
A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.
Resolution
To remediate CVE-2023-34044 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
Additional Documentation
None
Notes
This issue exists because Workstation 17.0.2 and Fusion 13.0.2, released on April 25, 2023 did not address CVE-2023-20870 completely.
Acknowledgements
VMware would like to thank Gwangun Jung (@pr0Ln) at THEORI working with Trend Micro Zero Day Initiative for reporting this issue to us.
Response Matrix
3b. VMware Fusion TOCTOU local privilege escalation vulnerability (CVE-2023-34046)
Description
VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during installation for the first time (the user needs to drag or copy the application to a folder from the '.dmg' volume) or when installing an upgrade. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7.
Known Attack Vectors
A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed or being installed for the first time.
Resolution
To remediate CVE-2023-34046 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None
Additional Documentation
None
Notes
This will not occur if the user follows the usual process of double-clicking the application in the '.dmg' volume when running the installer for the first time.
Acknowledgements
VMware would like to thank Mickey Jin (@patch1t) for reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Fusion | 13.x | OS X | CVE-2023-34046 | moderate | 13.5 | None | None |
3c. VMware Fusion installer local privilege escalation (CVE-2023-34045)
Description
VMware Fusion contains a local privilege escalation vulnerability that occurs during installation for the first time (the user needs to drag or copy the application to a folder from the '.dmg' volume) or when installing an upgrade. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.6.
Known Attack Vectors
A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed or being installed for the first time.
Resolution
To remediate CVE-2023-34045 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
None
Additional Documentation
None
Notes
This will not occur if the user follows the usual process of double-clicking the application in the '.dmg' volume when running the installer for the first time.
Acknowledgements
VMware would like to thank Mickey Jin (@patch1t) for reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Fusion | 13.x | OS X | CVE-2023-34045 | moderate | 13.5 | None | None |
4. References
Fixed Version(s) and Release Notes:
WS Pro 17.5
Downloads and Documentation:
WS Player 17.5
Downloads and Documentation
Fusion 13.5
Downloads and Documentation
https://docs.vmware.com/en/VMware-Fusion/13.5/rn/vmware-fusion-135-release-notes/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34045
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34044
FIRST CVSSv3 Calculator:
CVE-2023-34045: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CVE-2023-34044: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVE-2023-34046: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
5. Change Log
2023-10-19 VMSA-2023-0022
Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2023 VMware Inc. All rights reserved.