Update your machines as soon as possible so that no hacker gets elevated privileges.
Four serious vulnerabilities have been identified in the VMware Workstation and Fusion products, which can be used by attackers to gain access to confidential information, create conditions for conducting DoS attacks, and execute arbitrary code.
The issues affect versions of Workstation 17. x and Fusion 13. x. To fix the vulnerabilities, we recommend updating your programs to versions 17.5.2 and 13.5.2, respectively. Broadcom, which owns VMware virtualization services, posted this warning on its official website.
Vulnerability description:
Users are advised to disable Bluetooth support on vulnerable VMs and disable 3D acceleration before installing updates. There are no temporary measures for CVE-2024-22270, so you need to update to the latest software versions to mitigate the consequences of this vulnerability.
It should be noted that the vulnerabilities CVE-2024-22267, CVE-2024-22269 and CVE-2024-22270 were first demonstrated by the STAR Labs SG and Theori teams at the Pwn2Own competition recently held in Vancouver.
Four serious vulnerabilities have been identified in the VMware Workstation and Fusion products, which can be used by attackers to gain access to confidential information, create conditions for conducting DoS attacks, and execute arbitrary code.
The issues affect versions of Workstation 17. x and Fusion 13. x. To fix the vulnerabilities, we recommend updating your programs to versions 17.5.2 and 13.5.2, respectively. Broadcom, which owns VMware virtualization services, posted this warning on its official website.
Vulnerability description:
- CVE-2024-22267 (CVSS score 9.3). Use-after-free vulnerability in a Bluetooth device. It can be used by an attacker with local administrative rights on a VM to execute code on behalf of a VMX process running on the host.
- CVE-2024-22268 (CVSS score 7.1). Heap buffer overflow vulnerability in Shader functionality. It can be used by an attacker with non-administrative access to a VM with 3D graphics enabled to create denial-of-service (DoS) conditions.
- CVE-2024-22269 (CVSS assessment 7.1). Information disclosure vulnerability in a Bluetooth device. It can be used by an attacker with local administrative rights on the VM to read confidential information contained in the hypervisor's memory.
- CVE-2024-22270 (CVSS score 7.1). Information disclosure vulnerability in Host Guest File Sharing (HGFS) functionality. It can be used by an attacker with local administrative rights on the VM to read privileged information from the hypervisor's memory.
Users are advised to disable Bluetooth support on vulnerable VMs and disable 3D acceleration before installing updates. There are no temporary measures for CVE-2024-22270, so you need to update to the latest software versions to mitigate the consequences of this vulnerability.
It should be noted that the vulnerabilities CVE-2024-22267, CVE-2024-22269 and CVE-2024-22270 were first demonstrated by the STAR Labs SG and Theori teams at the Pwn2Own competition recently held in Vancouver.
