VMware Patches Severe Security Flaws in Workstation and Fusion Products

Many security flaws have been disclosed in VMware Workstation and Fusion products and solutions that could be exploited by danger actors to obtain delicate data, cause a denial-of-company (DoS) ailment, and execute code below specified conditions.

The four vulnerabilities effect Workstation variations 17.x and Fusion variations 13.x, with fixes obtainable in version 17.5.2 and 13.5.2, respectively, the Broadcom-owned virtualization products and services service provider said.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

A brief description of each of the flaws is beneath –

• CVE-2024-22267 (CVSS rating: 9.3) – A use-just after-free vulnerability in the Bluetooth gadget that could be exploited by a malicious actor with area administrative privileges on a digital equipment to execute code as the digital machine’s VMX method functioning on the host

• CVE-2024-22268 (CVSS score: 7.1) – A heap buffer-overflow vulnerability in the Shader features that could be exploited by a destructive actor with non-administrative entry to a virtual device with 3D graphics enabled to develop a DoS situation

• CVE-2024-22269 (CVSS score: 7.1) – An details disclosure vulnerability in the Bluetooth system that could be exploited by a destructive actor with community administrative privileges on a virtual device to browse privileged information and facts contained in hypervisor memory from a virtual device

• CVE-2024-22270 (CVSS rating: 7.1) – An info disclosure vulnerability in the Host Guest File Sharing (HGFS) functionality that could be exploited by a malicious actor with area administrative privileges on a virtual device to browse privileged data contained in hypervisor memory from a virtual machine

As non permanent workarounds right until the patches can be deployed, end users are recommended to change off the Bluetooth aid on the virtual device and disable 3D acceleration attribute. There are no mitigations that deal with CVE-2024-22270 other than updating to the most recent variation.

It really is truly worth noting that CVE-2024-22267, CVE-2024-22269, and CVE-2024-22270 have been initially demonstrated by STAR Labs SG and Theori at the Pwn2Have hacking contest held in Vancouver previously this March.

The advisory arrives a lot more than two months immediately after the business released patches to tackle 4 security flaws impacting ESXi, Workstation, and Fusion, which includes two critical flaws (CVE-2024-22252 and CVE-2024-22253, CVSS scores: 9.3/8.4)that could guide to code execution.

Found this posting fascinating? Comply with us on Twitter  and LinkedIn to read through far more distinctive content material we post.