Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.2370
VMware Workstation and Fusion updates address multiple
security vulnerabilities
26 April 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware Workstation Pro / Player (Workstation)
VMware Fusion
Publisher: VMWare
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2023-20872 CVE-2023-20871 CVE-2023-20870
CVE-2023-20869
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2023-0008.html
Comment: CVSS (Max): 9.3 CVE-2023-20869 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: VMware
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Critical
Advisory ID: VMSA-2023-0008
CVSSv3 Range: 7.3-9.3
Issue Date: 2023-04-25
Updated On: 2023-04-25 (Initial Advisory)
CVE(s): CVE-2023-20869, CVE-2023-20870, CVE-2023-20871, CVE-2023-20872
Synopsis: VMware Workstation and Fusion updates address multiple security
vulnerabilities (CVE-2023-20869, CVE-2023-20870, CVE-2023-20871,
CVE-2023-20872)
1. Impacted Products
o VMware Workstation Pro / Player (Workstation)
o VMware Fusion
2. Introduction
Multiple security vulnerabilities in VMware Workstation and Fusion were
privately reported to VMware. Updates and workarounds are available to
remediate these vulnerabilities in the affected VMware products.
3a. Stack-based buffer-overflow vulnerability in bluetooth device-sharing
functionality (CVE-2023-20869)
Description
VMware Workstation and Fusion contain a stack-based buffer-overflow
vulnerability that exists in the functionality for sharing host Bluetooth
devices with the virtual machine. VMware has evaluated the severity of this
issue to be in the Critical severity range with a maximum CVSSv3 base score of
9.3 .
Known Attack Vectors
A malicious actor with local administrative privileges on a virtual machine
may exploit this issue to execute code as the virtual machine's VMX process
running on the host.
Resolution
To remediate CVE-2023-20869 update to the version listed in the 'Fixed
Version' column of the 'Response Matrix' found below.
Workarounds
Workarounds for CVE-2023-20869 have been listed in the 'Workarounds' column of
the 'Response Matrix' below.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank STAR Labs, working with the Pwn2Own 2023 Security
Contest, for reporting this issue to us.
Response Matrix
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
Workstation 17.x Any CVE-2023-20869 9.3 critical 17.0.2 KB91760 None
Fusion 13.x OS X CVE-2023-20869 9.3 critical 13.0.2 KB91760 None
3b. Information disclosure vulnerability in bluetooth device-sharing
functionality (CVE-2023-20870)
Description
VMware Workstation and Fusion contain an out-of-bounds read vulnerability that
exists in the functionality for sharing host Bluetooth devices with the
virtual machine. VMware has evaluated the severity of this issue to be in the
Important severity range with a maximum CVSSv3 base score of 7.1 .
Known Attack Vectors
A malicious actor with local administrative privileges on a virtual machine
may be able to read privileged information contained in hypervisor memory from
a virtual machine.
Resolution
To remediate CVE-2023-20870 update to the version listed in the 'Fixed
Version' column of the 'Response Matrix' found below.
Workarounds
Workarounds for CVE-2023-20870 have been listed in the 'Workarounds' column of
the 'Response Matrix' below.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank STAR Labs, working with the Pwn2Own 2023 Security
Contest, for reporting this issue to us.
Response Matrix
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
Workstation 17.x Any CVE-2023-20870 7.1 important 17.0.2 KB91760 None
Fusion 13.x OS X CVE-2023-20870 7.1 important 13.0.2 KB91760 None
3c. VMware Fusion Raw Disk local privilege escalation vulnerability
(CVE-2023-20871)
Description
VMware Fusion contains a local privilege escalation vulnerability. VMware has
evaluated the severity of this issue to be in the Important severity range
with a maximum CVSSv3 base score of 7.3 .
Known Attack Vectors
A malicious actor with read/write access to the host operating system can
elevate privileges to gain root access to the host operating system.
Resolution
To remediate CVE-2023-20871 update to the version listed in the 'Fixed
Version' column of the 'Response Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Beist, Chpie, Silenos, and Jz of LINE Security for
reporting this issue to us.
Response Matrix
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
Fusion 13.x OS X CVE-2023-20871 7.3 important 13.0.2 None None
3d. Out-of-bounds read/write vulnerability (CVE-2023-20872)
Description
VMware Workstation and Fusion contain an out-of-bounds read/write
vulnerability in SCSI CD/DVD device emulation. VMware has evaluated the
severity of this issue to be in the Important severity range with a maximum
CVSSv3 base score of 7.7 .
Known Attack Vectors
A malicious attacker with access to a virtual machine that has a physical CD/
DVD drive attached and configured to use a virtual SCSI controller may be able
to exploit this vulnerability to execute code on the hypervisor from a virtual
machine.
Resolution
To remediate CVE-2023-20872 update to the version listed in the 'Fixed
Version' column of the 'Response Matrix' found below.
Workarounds
Workarounds for CVE-2023-20872 have been listed in the 'Workarounds' column of
the 'Response Matrix' below.
Additional Documentation
None.
Notes
Successful exploitation of this issue requires a physical CD/DVD drive
attached to the virtual machine configured to use a virtual SCSI controller.
Acknowledgements
VMware would like to thank Wenxu Yin of 360 Vulnerability Research
Institute for reporting this issue to us.
Response Matrix
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
Workstation 17.x Any CVE-2023-20872 7.7 important 17.0.1 KB91949 None
Fusion 13.x OS X CVE-2023-20872 7.7 important 13.0.1 KB91949 None
4. References
Fixed Version(s) and Release Notes:
VMware Fusion 13.0.2:
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/info/slug/
desktop_end_user_computing/vmware_fusion/13_0
https://docs.vmware.com/en/VMware-Fusion/13.0.2/rn/
vmware-fusion-1302-release-notes/index.html
VMware Workstation 17.0.2:
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/info/slug/
desktop_end_user_computing/vmware_workstation_pro/17_0
https://docs.vmware.com/en/VMware-Workstation-Pro/17.0.2/rn/
vmware-workstation-1702-pro-release-notes/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20869
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20870
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20871
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20872
FIRST CVSSv3 Calculator:
CVE-2023-20869: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2023-20870: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:N/UI:N/S:C/C:H/I:N/A:N
CVE-2023-20871: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:L/UI:N/S:U/C:H/I:L/A:H
CVE-2023-20872: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/
PR:N/UI:R/S:C/C:H/I:H/A:H
5. Change Log
2023-04-25 VMSA-2023-0008
Initial security advisory.
6. Contact
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZEiOTMkNZI30y1K9AQggmBAAmii2eAWAZCWkF8yeyqx+7P/qCohlE1zz
tCDZT4bZ8D7tSFVdM9/t3hAJbk5lVp+SgdDiJ8JR2dsQdNh2pimOf3OzH51aXI5X
CE8m9dtki+II5wvB6bizIa/r1MjpjnHIkFQMAEmvunFhybG2CzRUySdkJrLg3t04
fNfe8HQdne4pq+RPNwzwXmrbPVuvSyk2HaXy4Y3kh1lW/gTqq9wM4BW3/bxnpbb6
1fZIILm563ErTt6/xdn3G3OYMPcxf7bjim80TTcsiCNF//n9jMMSP82zPuq5zDWT
rcPSRb7R9QpoJWKVSI48jHiyg27uoichUVbk9QgPbaFqI+ZXRcAFRxXspffh2q3/
dnmfoJLfCSRHmL8cCsLZ/48AJibYL2oLCKWnJCj4jCM6Rw700/79rSIqveL2hKni
JING3kriio4dMUbrAqGrEG/2B4aaChy/YYZL4o4+9S5okunCFRfO4ZZy5yH0o/Rc
49t/Gx6M+tcLF3u8iVZa69LxgmAG2uOAc3wo64FHTIiZNrw/+otNA9lbSBAVNe9H
XEWRMeTXHIBxwSrl/UriKUMy29/GBBe8KKxzl9aJEU2NPhUOxb0Y/gQKHmRtPrnQ
gpapMU7mrazhyRL2fW8W8t6mczuuETZCiXjM9XfpomtprkXSCK95eTE3aGQKjQGr
AHHPW0R2feI=
=O6U8
-----END PGP SIGNATURE-----