VMware fixes critical zero-day exploit chain used at Pwn2Own

VMware has released security updates to address zero-day vulnerabilities that could be chained to gain code execution systems running unpatched versions of the company's Workstation and Fusion software hypervisors.

The two flaws were part of an exploit chain demoed by the STAR Labs team's security researchers one month ago, during the second day of the Pwn2Own Vancouver 2023 hacking contest.

Vendors have 90 days to patch the zero-day bugs exploited and disclosed during Pwn2Own before Trend Micro's Zero Day Initiative releases technical details.

The first vulnerability (CVE-2023-20869) is a stack-based buffer-overflow vulnerability in Bluetooth device-sharing functionality which allows local attackers to execute code as the virtual machine's VMX process running on the host.

The second bug patched today (CVE-2023-20870) is an information disclosure weakness in the functionality for sharing host Bluetooth devices with the VM, which enables malicious actors to read privileged information contained in hypervisor memory from a VM.

VMware has also shared a temporary workaround for admins who cannot immediately deploy patches for the two flaws on their systems.

To remove the attack vector, you can also turn off the Bluetooth support on the virtual machine by unchecking the "Share Bluetooth devices with the virtual machine" option on the impacted devices (more details on how to do that can be found here).

Success! @starlabs_sg used an uninitialized variable and UAF against VMWare Workstation. They earn $80,000 and 8 Master of Pwn points, pushing the prize total for #P2OVancouver past $1,000,000. #Pwn2Own pic.twitter.com/DEjgYcmphH

— Zero Day Initiative (@thezdi) March 24, 2023

The company addressed two more security flaws today affecting the VMware Workstation and Fusion hosted hypervisors.

CVE-2023-20871 is a high-severity VMware Fusion Raw Disk local privilege escalation vulnerability that can be abused by attackers with read/write access to the host operating system to escalate privileges and gain root access to the host OS.

A fourth bug (tracked as CVE-2023-20872) described as "an out-of-bounds read/write vulnerability" in the SCSI CD/DVD device emulation impacts both Workstation and Fusion products.

This can be exploited by local attackers with access VMs with a physical CD/DVD drive attached and configured to use a virtual SCSI controller to gain code execution on the hypervisor from the VM.

A temporary CVE-2023-20872 workaround that blocks exploitation attempts requires admins "to remove the CD/DVD device from the virtual machine or configure the virtual machine NOT to use a virtual SCSI controller."

Last week, VMware also patched a critical vRealize Log Insight vulnerability that can let unauthenticated attackers gain remote execution on vulnerable appliances.