VMware has released a security advisory to address four vulnerabilities (CVE-2023-20869, CVE-2023-20870, CVE-2023-20871, & CVE-2023-20872). Out of this, two vulnerabilities can be chained to perform remote code execution on the vulnerable Workstation and Fusion software hypervisors.
On the second day of the Pwn2Own Vancouver 2023 hacking competition, the security researchers from the STAR Labs team demonstrated an attack chain that included two flaws (CVE-2023-20869 & CVE-2023-20870).
VMware Workstation Pro is a hosted hypervisor that allows users to set up virtual machines on a single physical device and utilize them simultaneously with the host machine.
VMware Workstation Player is a free virtualization software package for x64 Microsoft or Linux. In addition to building new virtual machines, VMware Player can operate existing virtual appliances.
VMware Fusion is a software hypervisor explicitly designed for macOS systems. It enables virtual machines with guest operating systems like Microsoft Windows, Linux, or macOS to run within the host macOS operating system.
Description
CVE-2023-20869: Stack-based Buffer-overflow Vulnerability in Bluetooth Device-sharing Functionality
The vulnerability has been rated as critical with a CVSSv3 base score of 9.3. To exploit this vulnerability, an attacker must have local administrative privileges on a virtual machine. The stack-based buffer overflow vulnerability exists in the functionality for sharing host Bluetooth devices with the virtual machine. On successful exploitation, the vulnerability may allow an attacker to execute code as the virtual machine’s VMX process running on the host.
CVE-2023-20870: Information Disclosure Vulnerability in Bluetooth Device-sharing Functionality
To exploit this vulnerability, an attacker must have local administrative privileges on a virtual machine. This out-of-bounds read vulnerability exists in the functionality for sharing host Bluetooth devices with the virtual machine. The vulnerability may allow an attacker to access privileged information in hypervisor memory from a virtual machine on successful exploitation.
CVE-2023-20871: VMware Fusion Raw Disk Local Privilege Escalation Vulnerability
The vulnerability was discovered by Beist, Chpie, Silenos, and Jz of LINE Security. To exploit this vulnerability, an attacker must have read/write access to the host operating system. An attacker may successfully exploit this vulnerability to elevate privileges to gain root access to the host operating system.
CVE-2023-20872: Out-of-bounds Read/write Vulnerability
The vulnerability was discovered by Wenxu Yin of 360 Vulnerability Research Institute. The vulnerability exists in SCSI CD/DVD device emulation. An attacker must have access to a virtual machine with a physical CD/DVD drive attached and configured to use a virtual SCSI controller to exploit this vulnerability. An attacker may successfully exploit this vulnerability to exploit this vulnerability to execute code on the hypervisor from a virtual machine.
Affected versions
CVE-2023-20869, CVE-2023-20870, and CVE-2023-20871:
- VMware Fusion 13.x prior to 13.0.2
- VMware Workstation Pro/Player 17.x prior to 17.0.2
CVE-2023-20872:
- VMware Fusion 13.x prior to 13.0.1
- VMware Workstation Pro/Player 17.x prior to 17.0.1
Mitigation
Customers are requested to upgrade to the latest versions of VMware Workstation and Fusion to patch the vulnerabilities.
For more information, please refer to the VMware Advisory (VMSA-2023-0008).
Workaround
CVE-2023-20869 and CVE-2023-20870
The workaround for both vulnerabilities is to turn off the Bluetooth support on the virtual machine.
Uncheck the option “Share Bluetooth devices with the virtual machine” on the impacted products. Please refer to 91760 for the steps required for this.
CVE-2023-20872
Remove the CD/DVD device from the virtual machine or set the virtual machine to NOT utilize a virtual SCSI controller as a workaround for CVE-2023-20872.
Prerequisites:
Shut down or power off the virtual machine. You cannot change the setting while the virtual machine is powered on or suspended.
- Remove the CD/DVD device from a virtual machine on the impacted products by following the procedure described here:
VMware Workstation
- To remove hardware from a selected virtual machine, select VM > Settings, and click the Hardware tab.
- Select the CD/DVD and click Remove.
VMware Fusion
- Select a virtual machine in the Virtual Machine Library window. Click on the “Virtual Machine” menu and click “Settings.”
- Under Removable Devices in the Settings window, select CD/DVD > Advanced Options > Remove the CD/DVD Drive.
- Configure the virtual machine NOT to use a virtual SCSI controller on the impacted products by following the procedure described here:
VMware Workstation
- Select VM > Settings, click the Hardware tab and select the CD/DVD > Advanced > CD/DVD Advanced Settings > Virtual device node.
- You can configure the Bus type.
VMware Fusion
- Select a virtual machine in the Virtual Machine Library window. Click on the “Virtual Machine” menu and click “Settings.”
- Under Removable Devices in the Settings window, Select CD/DVD > Advanced options > Bus type
- You can configure the Bus type.
For more information, please refer to 91949.
Qualys Detection
Qualys customers can scan their devices with QIDs 378446 and 378447 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://kb.vmware.com/s/article/91949
https://kb.vmware.com/s/article/91760
https://www.vmware.com/security/advisories/VMSA-2023-0008.html