Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.2370 VMware Workstation and Fusion updates address multiple security vulnerabilities 26 April 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware Workstation Pro / Player (Workstation) VMware Fusion Publisher: VMWare Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2023-20872 CVE-2023-20871 CVE-2023-20870 CVE-2023-20869 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2023-0008.html Comment: CVSS (Max): 9.3 CVE-2023-20869 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVSS Source: VMware Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Critical Advisory ID: VMSA-2023-0008 CVSSv3 Range: 7.3-9.3 Issue Date: 2023-04-25 Updated On: 2023-04-25 (Initial Advisory) CVE(s): CVE-2023-20869, CVE-2023-20870, CVE-2023-20871, CVE-2023-20872 Synopsis: VMware Workstation and Fusion updates address multiple security vulnerabilities (CVE-2023-20869, CVE-2023-20870, CVE-2023-20871, CVE-2023-20872) 1. Impacted Products o VMware Workstation Pro / Player (Workstation) o VMware Fusion 2. Introduction Multiple security vulnerabilities in VMware Workstation and Fusion were privately reported to VMware. Updates and workarounds are available to remediate these vulnerabilities in the affected VMware products. 3a. Stack-based buffer-overflow vulnerability in bluetooth device-sharing functionality (CVE-2023-20869) Description VMware Workstation and Fusion contain a stack-based buffer-overflow vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3 . Known Attack Vectors A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. Resolution To remediate CVE-2023-20869 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds Workarounds for CVE-2023-20869 have been listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation None. Notes None. Acknowledgements VMware would like to thank STAR Labs, working with the Pwn2Own 2023 Security Contest, for reporting this issue to us. Response Matrix Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation Workstation 17.x Any CVE-2023-20869 9.3 critical 17.0.2 KB91760 None Fusion 13.x OS X CVE-2023-20869 9.3 critical 13.0.2 KB91760 None 3b. Information disclosure vulnerability in bluetooth device-sharing functionality (CVE-2023-20870) Description VMware Workstation and Fusion contain an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1 . Known Attack Vectors A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine. Resolution To remediate CVE-2023-20870 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds Workarounds for CVE-2023-20870 have been listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation None. Notes None. Acknowledgements VMware would like to thank STAR Labs, working with the Pwn2Own 2023 Security Contest, for reporting this issue to us. Response Matrix Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation Workstation 17.x Any CVE-2023-20870 7.1 important 17.0.2 KB91760 None Fusion 13.x OS X CVE-2023-20870 7.1 important 13.0.2 KB91760 None 3c. VMware Fusion Raw Disk local privilege escalation vulnerability (CVE-2023-20871) Description VMware Fusion contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3 . Known Attack Vectors A malicious actor with read/write access to the host operating system can elevate privileges to gain root access to the host operating system. Resolution To remediate CVE-2023-20871 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Notes None. Acknowledgements VMware would like to thank Beist, Chpie, Silenos, and Jz of LINE Security for reporting this issue to us. Response Matrix Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation Fusion 13.x OS X CVE-2023-20871 7.3 important 13.0.2 None None 3d. Out-of-bounds read/write vulnerability (CVE-2023-20872) Description VMware Workstation and Fusion contain an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.7 . Known Attack Vectors A malicious attacker with access to a virtual machine that has a physical CD/ DVD drive attached and configured to use a virtual SCSI controller may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine. Resolution To remediate CVE-2023-20872 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds Workarounds for CVE-2023-20872 have been listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation None. Notes Successful exploitation of this issue requires a physical CD/DVD drive attached to the virtual machine configured to use a virtual SCSI controller. Acknowledgements VMware would like to thank Wenxu Yin of 360 Vulnerability Research Institute for reporting this issue to us. Response Matrix Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation Workstation 17.x Any CVE-2023-20872 7.7 important 17.0.1 KB91949 None Fusion 13.x OS X CVE-2023-20872 7.7 important 13.0.1 KB91949 None 4. References Fixed Version(s) and Release Notes: VMware Fusion 13.0.2: Downloads and Documentation: https://customerconnect.vmware.com/downloads/info/slug/ desktop_end_user_computing/vmware_fusion/13_0 https://docs.vmware.com/en/VMware-Fusion/13.0.2/rn/ vmware-fusion-1302-release-notes/index.html VMware Workstation 17.0.2: Downloads and Documentation: https://customerconnect.vmware.com/downloads/info/slug/ desktop_end_user_computing/vmware_workstation_pro/17_0 https://docs.vmware.com/en/VMware-Workstation-Pro/17.0.2/rn/ vmware-workstation-1702-pro-release-notes/index.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20869 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20870 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20871 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20872 FIRST CVSSv3 Calculator: CVE-2023-20869: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2023-20870: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2023-20871: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:L/UI:N/S:U/C:H/I:L/A:H CVE-2023-20872: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/ PR:N/UI:R/S:C/C:H/I:H/A:H 5. Change Log 2023-04-25 VMSA-2023-0008 Initial security advisory. 6. Contact E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZEiOTMkNZI30y1K9AQggmBAAmii2eAWAZCWkF8yeyqx+7P/qCohlE1zz tCDZT4bZ8D7tSFVdM9/t3hAJbk5lVp+SgdDiJ8JR2dsQdNh2pimOf3OzH51aXI5X CE8m9dtki+II5wvB6bizIa/r1MjpjnHIkFQMAEmvunFhybG2CzRUySdkJrLg3t04 fNfe8HQdne4pq+RPNwzwXmrbPVuvSyk2HaXy4Y3kh1lW/gTqq9wM4BW3/bxnpbb6 1fZIILm563ErTt6/xdn3G3OYMPcxf7bjim80TTcsiCNF//n9jMMSP82zPuq5zDWT rcPSRb7R9QpoJWKVSI48jHiyg27uoichUVbk9QgPbaFqI+ZXRcAFRxXspffh2q3/ dnmfoJLfCSRHmL8cCsLZ/48AJibYL2oLCKWnJCj4jCM6Rw700/79rSIqveL2hKni JING3kriio4dMUbrAqGrEG/2B4aaChy/YYZL4o4+9S5okunCFRfO4ZZy5yH0o/Rc 49t/Gx6M+tcLF3u8iVZa69LxgmAG2uOAc3wo64FHTIiZNrw/+otNA9lbSBAVNe9H XEWRMeTXHIBxwSrl/UriKUMy29/GBBe8KKxzl9aJEU2NPhUOxb0Y/gQKHmRtPrnQ gpapMU7mrazhyRL2fW8W8t6mczuuETZCiXjM9XfpomtprkXSCK95eTE3aGQKjQGr AHHPW0R2feI= =O6U8 -----END PGP SIGNATURE-----