VMware has released a security advisory to address four vulnerabilities impacting VMware Workstation Pro / Player and VMware Fusion. The vulnerabilities are tracked as CVE-2024-22267, CVE-2024-22268, CVE-2024-22269, and CVE-2024-22270. CVE-2024-22267, CVE-2024-22269, & CVE-2024-22270, were exploited in the Pwn2Own 2024 Security Contest.
VMware Workstation Pro is a hosted hypervisor that allows users to set up virtual machines on a single physical device and utilize them simultaneously with the host machine.
VMware Workstation Player is a free virtualization software package for x64 Microsoft or Linux. In addition to building new virtual machines, VMware Player can operate existing virtual appliances.
VMware Fusion is a software hypervisor explicitly designed for macOS systems. It enables virtual machines with guest operating systems like Microsoft Windows, Linux, or macOS to run within the host macOS operating system.
VMware Workstation and Fusion vbluetooth Use-after-free Vulnerability (CVE-2024-22267)
The use-after-free vulnerability in the vbluetooth device has been given a critical severity rating with a CVSS score of 9.3. A threat actor with local administrative privileges on a virtual machine may exploit the vulnerability to perform code execution as the VMX process runs on the host.
VMware Workstation and Fusion Shader Heap Buffer Overflow Vulnerability (CVE-2024-22268)
This heap buffer overflow vulnerability exists in the Shader functionality. An attacker with non-administrative access to a virtual machine with 3D graphics enabled may exploit this vulnerability to create a denial-of-service condition.
VMware Workstation and Fusion vbluetooth Information Disclosure Vulnerability (CVE-2024-22269)
This information disclosure vulnerability exists in the vbluetooth device. An attacker with local administrative privileges on a virtual machine may exploit this vulnerability to access privileged information contained in hypervisor memory from a virtual machine.
VMware Workstation and Fusion HGFS Information Disclosure vulnerability (CVE-2024-22270)
This information disclosure vulnerability exists in the Host Guest File Sharing (HGFS) functionality. An attacker with local administrative privileges on a virtual machine may exploit this vulnerability to read privileged information contained in hypervisor memory from a virtual machine.
Affected versions
- VMware Workstation Pro 17.x prior to 17.5.2
- VMware Workstation Player 17.x prior to 17.5.2
- VMware Fusion 13.x prior to 13.5.2
Mitigation
VMware has released the following versions to patch the vulnerabilities:
- VMware Workstation Pro 17.5.2
- VMware Workstation Player 17.5.2
- VMware Fusion 13.5.2
For more information, please refer to the VMware Advisory (VMSA-2024-0010).
Qualys Detection
Qualys customers can scan their devices with QID 379822 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
