Security News > 2023 > April > VMware Releases Critical Patches for Workstation and Fusion Software

VMware has released updates to resolve multiple security flaws impacting its Workstation and Fusion software, the most critical of which could allow a local attacker to achieve code execution.

The vulnerability, tracked as CVE-2023-20869, is described as a stack-based buffer-overflow vulnerability that resides in the functionality for sharing host Bluetooth devices with the virtual machine.

"A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host," the company said.

"A malicious attacker with access to a virtual machine that has a physical CD/DVD drive attached and configured to use a virtual SCSI controller may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine," VMware said.

As a temporary workaround for CVE-2023-20869 and CVE-2023-20870, VMware is suggesting that users turn off Bluetooth support on the virtual machine.

As for mitigating CVE-2023-20872, it's advised to remove the CD/DVD device from the virtual machine or configure the virtual machine not to use a virtual SCSI controller.

News URL

https://thehackernews.com/2023/04/vmware-releases-critical-patches-for.html