VMSA-2024-0010: VMware Workstation and Fusion updates address multiple security vulnerabilities (CVE-2024-22267, CVE-2024-22268, CVE-2024-22269, CVE-2024-22270)
24280
11 July 2024
14 May 2024
CLOSED
CRITICAL
7.1-9.3
None
CVE-2024-22267, CVE-2024-22268, CVE-2024-22269, CVE-2024-22270
| Advisory ID: | VMSA-2024-0010 |
| Advisory Severity: | Critical |
| CVSSv3 Range: | 7.1-9.3 |
| Synopsis: | VMware Workstation and Fusion updates address multiple security vulnerabilities (CVE-2024-22267, CVE-2024-22268, CVE-2024-22269, CVE-2024-22270) |
| Issue date: | 2024-05-14 |
| Updated on: | 2024-05-14 (Initial Advisory) |
| CVE(s) | CVE-2024-22267, CVE-2024-22268, CVE-2024-22269, CVE-2024-22270 |
1. Impacted Products
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion
2. Introduction
Multiple security vulnerabilities in VMware Workstation and Fusion were privately reported to VMware. Updates and workarounds are available to remediate these vulnerabilities in the affected VMware products.
3a. VMware Workstation and Fusion vbluetooth use-after-free vulnerability (CVE-2024-22267)
Description:
VMware Workstation and Fusion contain a use-after-free vulnerability in the vbluetooth device. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.
Known Attack Vectors:
A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
Resolution:
To remediate CVE-2024-22267 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
Workarounds for CVE-2024-22267 have been listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation:
None
Acknowledgments:
VMware would like to thank Gwangun Jung (@pr0ln) & Junoh Lee (@bbbig12) of Theori (@theori_io) and STAR Labs SG working with the Pwn2Own held by Zero day initiative for independently reporting this issue to us.
Notes:
None
Response Matrix:
|
VMware Product |
Version |
Running On |
CVE |
CVSSv3 |
Severity |
Fixed Version |
Workarounds |
Additional Documentation |
|---|---|---|---|---|---|---|---|---|
| Workstation | 17.x | Any | CVE-2024-22267 | 9.3 | Critical | 17.5.2 | KB91760 | None |
| Fusion | 13.x | OS X | CVE-2024-22267 | 9.3 | Critical | 13.5.2 | KB91760 | None |
3b. VMware Workstation and Fusion Shader heap buffer-overflow vulnerability (CVE-2024-22268)
Description:
VMware Workstation and Fusion contain a heap buffer-overflow vulnerability in the Shader functionality. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.
Known Attack Vectors:
A malicious actor with non-administrative access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to create a denial of service condition.
Resolution:
To remediate CVE-2024-22268 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
Workarounds for CVE-2024-22268 have been listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation:
None
Acknowledgments:
VMware would like to thank Pwn2car working with Trend Micro Zero Day Initiative for reporting this issue to us.
Notes:
Successful exploitation of this issue requires 3D graphics to be enabled on the virtual machine.
Response Matrix:
|
VMware Product |
Version |
Running On |
CVE |
CVSSv3 |
Severity |
Fixed Version |
Workarounds |
Additional Documentation |
|---|---|---|---|---|---|---|---|---|
| Workstation | 17.x | Windows | CVE-2024-22268 | 7.1 | Important | 17.5.2 | KB59146 | None |
| Fusion | 13.x | OS X | CVE-2024-22268 | 7.1 | Important | 13.5.2 | KB59146 | None |
3c. VMware Workstation and Fusion vbluetooth information disclosure vulnerability (CVE-2024-22269)
Description:
VMware Workstation and Fusion contain an information disclosure vulnerability in the vbluetooth device. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.
Known Attack Vectors:
A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.
Resolution:
To remediate CVE-2024-22269 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
Workarounds for CVE-2024-22269 have been listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation:
None
Acknowledgments:
VMware would like to thank STAR Labs SG working with the Pwn2Own held by Zero day initiative for reporting this issue to us.
Notes:
None
Response Matrix:
|
VMware Product |
Version |
Running On |
CVE |
CVSSv3 |
Severity |
Fixed Version |
Workarounds |
Additional Documentation |
|---|---|---|---|---|---|---|---|---|
| Workstation | 17.x | Any | CVE-2024-22269 | 7.1 | Important | 17.5.2 | KB91760 | None |
| Fusion | 13.x | OS X | CVE-2024-22269 | 7.1 | Important | 13.5.2 | KB91760 | None |
3d. VMware Workstation and Fusion HGFS information disclosure vulnerability (CVE-2024-22270)
Description:
VMware Workstation and Fusion contain an information disclosure vulnerability in the Host Guest File Sharing (HGFS) functionality. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.
Known Attack Vectors:
A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.
Resolution:
To remediate CVE-2024-22270 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None
Additional Documentation:
None
Acknowledgments:
VMware would like to thank Gwangun Jung (@pr0ln) & Junoh Lee (@bbbig12) of Theori (@theori_io) working with the Pwn2Own held by Zero day initiative for reporting this issue to us.
Notes:
None.
Response Matrix:
|
VMware Product |
Version |
Running On |
CVE |
CVSSv3 |
Severity |
Fixed Version |
Workarounds |
Additional Documentation |
|---|---|---|---|---|---|---|---|---|
| Workstation | 17.x | Any | CVE-2024-22270 | 7.1 | Important | 17.5.2 | None | None |
| Fusion | 13.x | OS X | CVE-2024-22270 | 7.1 | Important | 13.5.2 | None | None |
4. References:
Fixed Version(s) and Release Notes:
Workstation Pro 17.5.2
Downloads and Documentation
https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware%20Workstation%20Pro
https://docs.vmware.com/en/VMware-Workstation-Pro/17.5.2/rn/vmware-workstation-1752-pro-release-notes/index.html
Fusion 13.5.2
Downloads and Documentation
https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware%20Fusion
https://docs.vmware.com/en/VMware-Fusion/13.5.2/rn/vmware-fusion-1352-release-notes/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22267
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22268
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22269
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22270
FIRST CVSSv3 Calculator:
CVE-2024-22267: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2024-22268: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2024-22269: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVE-2024-22270: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
5. Change Log:
2024-05-14 VMSA-2024-0010
Initial security advisory.
6. Contact:
E-mail: [email protected]
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2024 Broadcom All rights reserved.