Multiple vulnerabilities in VMware Workstation and Fusion
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2023-20869 CVE-2023-20870 CVE-2023-20871 CVE-2023-20872 |
| CWE-ID | CWE-121 CWE-125 CWE-284 CWE-787 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #4 is available. |
| Vulnerable software |
VMware Workstation Client/Desktop applications / Virtualization software VMware Fusion Client/Desktop applications / Virtualization software |
| Vendor | VMware, Inc |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Stack-based buffer overflow
EUVDB-ID: #VU75488
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-20869
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows an attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the UHCI component in the functionality for sharing host Bluetooth devices with the virtual machine. An attacker with administrative account on the guest OS can trigger a stack-based buffer overflow and execute arbitrary code as the virtual machine's VMX process running on the host.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVMware Workstation: 17.0 - 17.0.1
VMware Fusion: 13.0 - 13.0.1
CPE2.3- cpe:2.3:a:vmware:vmware_workstation:17.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:17.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:13.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:13.0.1:*:*:*:*:*:*:*
https://www.vmware.com/security/advisories/VMSA-2023-0008.html
https://www.zerodayinitiative.com/advisories/ZDI-23-522/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds read
EUVDB-ID: #VU75489
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-20870
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows an attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the UHCI component in the functionality for sharing host Bluetooth devices with the virtual machine. An attacker with administrative access to the guest OS can trigger an out-of-bounds read error and read contents of memory on the host OS.
Install updates from vendor's website.
Vulnerable software versionsVMware Workstation: 17.0 - 17.0.1
VMware Fusion: 13.0 - 13.0.1
CPE2.3- cpe:2.3:a:vmware:vmware_workstation:17.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:17.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:13.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:13.0.1:*:*:*:*:*:*:*
https://www.vmware.com/security/advisories/VMSA-2023-0008.html
https://www.zerodayinitiative.com/advisories/ZDI-23-521/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper access control
EUVDB-ID: #VU75490
Risk: Low
CVSSv4.0: 5.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-20871
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in raw disk functionality. A local user with read/write access to the host operating system can elevate privileges to gain root access to the host operating system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVMware Fusion: 13.0 - 13.0.1
CPE2.3- cpe:2.3:a:vmware:vmware_fusion:13.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:13.0.1:*:*:*:*:*:*:*
https://www.vmware.com/security/advisories/VMSA-2023-0008.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Out-of-bounds write
EUVDB-ID: #VU75491
Risk: High
CVSSv4.0: 7.4 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2023-20872
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: Yes
DescriptionThe vulnerability allows an attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in SCSI CD/DVD device emulation. An attacker with access to a virtual machine that has a physical CD/DVD drive attached and configured to use a virtual SCSI controller can trigger an out-of-bounds write and execute arbitrary code on the hypervisor from a virtual machine.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVMware Workstation: 17.0 - 17.0.1
VMware Fusion: 13.0 - 13.0.1
CPE2.3- cpe:2.3:a:vmware:vmware_workstation:17.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_workstation:17.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:13.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_fusion:13.0.1:*:*:*:*:*:*:*
https://www.vmware.com/security/advisories/VMSA-2023-0008.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
