Many security flaws have been disclosed in VMware Workstation and Fusion products and solutions that could be exploited by danger actors to obtain delicate data, cause a denial-of-company (DoS) ailment, and execute code below specified conditions.
The four vulnerabilities effect Workstation variations 17.x and Fusion variations 13.x, with fixes obtainable in version 17.5.2 and 13.5.2, respectively, the Broadcom-owned virtualization products and services service provider said.

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
A brief description of each of the flaws is beneath –
- CVE-2024-22267 (CVSS rating: 9.3) – A use-just after-free vulnerability in the Bluetooth gadget that could be exploited by a malicious actor with area administrative privileges on a digital equipment to execute code as the digital machine’s VMX method functioning on the host
- CVE-2024-22268 (CVSS score: 7.1) – A heap buffer-overflow vulnerability in the Shader features that could be exploited by a destructive actor with non-administrative entry to a virtual device with 3D graphics enabled to develop a DoS situation
- CVE-2024-22269 (CVSS score: 7.1) – An details disclosure vulnerability in the Bluetooth system that could be exploited by a destructive actor with community administrative privileges on a virtual device to browse privileged information and facts contained in hypervisor memory from a virtual device
- CVE-2024-22270 (CVSS rating: 7.1) – An info disclosure vulnerability in the Host Guest File Sharing (HGFS) functionality that could be exploited by a malicious actor with area administrative privileges on a virtual device to browse privileged data contained in hypervisor memory from a virtual machine
As non permanent workarounds right until the patches can be deployed, end users are recommended to change off the Bluetooth aid on the virtual device and disable 3D acceleration attribute. There are no mitigations that deal with CVE-2024-22270 other than updating to the most recent variation.
It really is truly worth noting that CVE-2024-22267, CVE-2024-22269, and CVE-2024-22270 have been initially demonstrated by STAR Labs SG and Theori at the Pwn2Have hacking contest held in Vancouver previously this March.
The advisory arrives a lot more than two months immediately after the business released patches to tackle 4 security flaws impacting ESXi, Workstation, and Fusion, which includes two critical flaws (CVE-2024-22252 and CVE-2024-22253, CVSS scores: 9.3/8.4)that could guide to code execution.
Found this posting fascinating? Comply with us on Twitter and LinkedIn to read through far more distinctive content material we post.
Some areas of this write-up are sourced from:
thehackernews.com