{"id":21876,"date":"2023-05-01T05:17:55","date_gmt":"2023-05-01T13:17:55","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/05\/01\/news-15607\/"},"modified":"2023-05-01T05:17:55","modified_gmt":"2023-05-01T13:17:55","slug":"news-15607","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/05\/01\/news-15607\/","title":{"rendered":"Update now: Critical flaw in VMWare Fusion and VMWare Workstation"},"content":{"rendered":"<p>Four vulnerabilities in virtualisation software <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/vmware-fixes-critical-zero-day-exploit-chain-used-at-pwn2own\/\" target=\"_blank\">have been fixed by VMware<\/a>,&nbsp;including two which were exploited at the 20223 <a href=\"https:\/\/www.zerodayinitiative.com\/blog\/2023\/3\/24\/pwn2own-vancouver-2023-day\" target=\"_blank\" rel=\"nofollow\">Pwn2Own contest<\/a>. Three have been given the severity rating &ldquo;Important&rdquo;, with the&nbsp;last (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-20869\" target=\"_blank\" rel=\"nofollow\">CVE-2023-20869<\/a>) is classed as &ldquo;Critical&rdquo;.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Success! <a href=\"https:\/\/twitter.com\/starlabs_sg?ref_src=twsrc%5Etfw\">@starlabs_sg<\/a> used an uninitialized variable and UAF against VMWare Workstation. They earn $80,000 and 8 Master of Pwn points, pushing the prize total for <a href=\"https:\/\/twitter.com\/hashtag\/P2OVancouver?src=hash&amp;ref_src=twsrc%5Etfw\">#P2OVancouver<\/a> past $1,000,000. <a href=\"https:\/\/twitter.com\/hashtag\/Pwn2Own?src=hash&amp;ref_src=twsrc%5Etfw\">#Pwn2Own<\/a> <a href=\"https:\/\/t.co\/DEjgYcmphH\">pic.twitter.com\/DEjgYcmphH<\/a><\/p>\n<p> &mdash; Zero Day Initiative (@thezdi) <a href=\"https:\/\/twitter.com\/thezdi\/status\/1639368941415055367?ref_src=twsrc%5Etfw\">March 24, 2023<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>The four vulnerabilities are:<\/p>\n<ul>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-20869\" target=\"_blank\" rel=\"nofollow\">CVE-2023-20869<\/a>&nbsp;is &#8220;Critical&#8221; flaw that affects Fusion and Workstation. It is a stack-based buffer overflow issue in the functionality for sharing host Bluetooth devices with the virtual machine. As per the <a href=\"https:\/\/www.vmware.com\/security\/advisories\/VMSA-2023-0008.html\" target=\"_blank\">advisory<\/a>, &#8220;A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine&#8217;s VMX process running on the host.&#8221; Needless to say, guest VMs are not supposed to be able to make the host machines they&#8217;re running on do things.<\/li>\n<li><strong><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-20870\" target=\"_blank\" rel=\"nofollow\">CVE-2023-20870<\/a> is an &#8220;Important&#8221; flaw that affects Fusion and Workstation. It&#8217;s <\/strong>another issue in the functionality for sharing host Bluetooth devices, but with this one an attacker can potentially read privileged information stored in the virtual machine&rsquo;s hypervisor memory.<\/li>\n<li><strong><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-20871\" target=\"_blank\" rel=\"nofollow\">CVE-2023-20871<\/a> is an &#8220;Important&#8221; flaw that only affects Fusion. It allows an<\/strong> attacker who has read \/ write access to the host operating system to elevate their privileges to gain root access to the host operating system.<\/li>\n<li><strong><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-20872\" target=\"_blank\" rel=\"nofollow\">CVE-2023-20872<\/a> is an &#8220;Important&#8221; flaw that affects Fusion and Workstation. It allows<\/strong> virtual machines with a physical CD\/DVD drive attached to execute code on the hypervisor, if the drive is configured to use a <a href=\"https:\/\/docs.vmware.com\/en\/VMware-vSphere\/7.0\/com.vmware.vsphere.vm_admin.doc\/GUID-9D15FD68-6CA1-4CBA-A451-D326BAAB07C9.html\">virtual SCSI controller<\/a>.<\/li>\n<\/ul>\n<h2>Workarounds and updates<\/h2>\n<p>All four issues can be addressed by updating to the latest version of the affected software. At the time of writing these are <a href=\"https:\/\/customerconnect.vmware.com\/downloads\/info\/slug\/desktop_end_user_computing\/vmware_fusion\/13_0\" target=\"_blank\"> VMware Fusion 13.0.2<\/a> and <a href=\"https:\/\/customerconnect.vmware.com\/downloads\/info\/slug\/desktop_end_user_computing\/vmware_workstation_pro\/17_0\" target=\"_blank\">VMware Workstation 17.0.2<\/a>. Workarounds are available for CVE-2023-20869, CVE-2023-20870, and CVE-2023-20872.<\/p>\n<p>CVE-2023-20869 and CVE-2023-20870 can be mitigated by turning off Bluetooth support by unchecking the &ldquo;<strong>Share Bluetooth devices with the virtual machine<\/strong>&rdquo; option. The relevant support documents for each product are <a href=\"https:\/\/docs.vmware.com\/en\/VMware-Workstation-Pro\/17\/com.vmware.ws.using.doc\/GUID-82E79E50-3073-4081-9FE6-0927076EA0AD.html\" target=\"_blank\">VMware Workstation Pro<\/a>, <a href=\"https:\/\/docs.vmware.com\/en\/VMware-Workstation-Player-for-Windows\/17.0\/com.vmware.player.win.using.doc\/GUID-82E79E50-3073-4081-9FE6-0927076EA0AD.html\" target=\"_blank\">VMware Workstation Player<\/a>, and <a href=\"https:\/\/docs.vmware.com\/en\/VMware-Fusion\/13\/com.vmware.fusion.using.doc\/GUID-9C42F404-F254-4E42-A5A7-2876B408FBB1.html\" target=\"_blank\">VMware Fusion<\/a>.<\/p>\n<p>CVE-2023-20872 can be mitigated by removing the CD\/DVD device from the virtual machine. Alternatively, you can configure the virtual machine so that it does not use a virtual SCSI controller. After shutting down the virtual machine, the steps are:<\/p>\n<p>To remove the CD\/DVD device in VMWare Workstation:<\/p>\n<ul>\n<li>Select VM &gt; Settings<\/li>\n<li>Click the Hardware tab<\/li>\n<li>Select the CD\/DVD and click Remove<\/li>\n<\/ul>\n<p>To remove the CD\/DVD device in VMWare Fusion:<\/p>\n<ul>\n<li>Select a virtual machine in the Virtual Machine Library window<\/li>\n<li>Click on Virtual Machine menu<\/li>\n<li>Click Settings<\/li>\n<li>Under Removable Devices in the Settings window, select CD\/DVD &gt; Advanced Options &gt; Remove CD\/DVD Drive.<\/li>\n<\/ul>\n<p>To configure VMWare Workstation not to use a virtual SCSI controller:<\/p>\n<ul>\n<li>Select VM &gt; Settings<\/li>\n<li>Click the Hardware tab<\/li>\n<li>Select the CD\/DVD &gt; Advanced &gt; CD\/DVD Advanced Settings &gt; Virtual device node<\/li>\n<li>You can configure the Bus type<\/li>\n<\/ul>\n<p>To configure VMWare Fusion not to use a virtual SCSI controller:<\/p>\n<ul>\n<li>Select a virtual machine in the Virtual Machine Library window<\/li>\n<li>Click on Virtual Machine menu<\/li>\n<li>Click on Settings<\/li>\n<li>Under Removable Devices in the Settings window, Select CD\/DVD &gt; Advanced options &gt; Bus type<\/li>\n<li>You can configure the Bus type.<\/li>\n<\/ul>\n<hr \/>\n<p dir=\"ltr\">Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.malwarebytes.com\/business\/contact-us\/\" class=\"blue-cta-bttn\">TRY NOW<\/a><\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/update-now-vmware-issues-updates-for-multiple-vulnerabilities\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/news\" rel=\"category tag\">News<\/a><\/p>\n<p>Tags: VMware<\/p>\n<p>Tags:  workstation<\/p>\n<p>Tags:  fusion<\/p>\n<p>Tags:  virtual machine<\/p>\n<p>Tags:  SCSI<\/p>\n<p>Tags:  DVD<\/p>\n<p>Tags:  CD<\/p>\n<p>Tags:  virtualisation<\/p>\n<p>Tags:  exploit<\/p>\n<p>Tags:  vulnerability<\/p>\n<p>Tags:  flaw<\/p>\n<p>Tags:  CVE<\/p>\n<p>VMWare has released fixes and mitigations for three Important and one Critical vulnerability in its Fusion and Workstation software.<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/update-now-vmware-issues-updates-for-multiple-vulnerabilities\" title=\"Update now: Critical flaw in VMWare Fusion and VMWare Workstation\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/04\/update-now-vmware-issues-updates-for-multiple-vulnerabilities\">Update now: Critical flaw in VMWare Fusion and VMWare Workstation<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[29243,11810,29242,11638,28229,16144,32,29241,14268,29244,14138,10467,29240],"class_list":["post-21876","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cd","tag-cve","tag-dvd","tag-exploit","tag-flaw","tag-fusion","tag-news","tag-scsi","tag-virtual-machine","tag-virtualisation","tag-vmware","tag-vulnerability","tag-workstation"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21876","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21876"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21876\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21876"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21876"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21876"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}