VMware fixed four flaws in its Workstation and Fusion desktop hypervisors, including three zero-days exploited at the Pwn2Own Vancouver 2024
VMware addressed four vulnerabilities in its Workstation and Fusion desktop hypervisors, including three zero-day flaws demonstrated at the Pwn2Own Vancouver 2024.
Below are descriptions of the flaws addressed by the virtualization giant
- CVE-2024-22267 (CVSS score: 9.3) – A use-after-free vulnerability in the Bluetooth device. A threat actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.
The vendor also provided temporary workarounds, such as disabling Bluetooth support and 3D acceleration, until patches can be applied to address vulnerabilities like CVE-2024-22267, CVE-2024-22269, and CVE-2024-22270. The company doesn’t provide any mitigations to address CVE-2024-22270.
STAR Labs SG and Theori demonstrated these vulnerabilities during the Pwn2Own hacking contest in March 2024.
“VMware would like to thank Gwangun Jung (@pr0ln) & Junoh Lee (@bbbig12) of Theori (@theori_io) and STAR Labs SG working with the Pwn2Own 2024 Security Contest for independently reporting this issue to us.” reads the advisory.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)
