"Critical Flaw Patched in VMware Workstation and Fusion"

VMware has recently addressed multiple security vulnerabilities in its Workstation and Fusion products. The vulnerabilities, identified as CVE-2023-20869, CVE-2023-20870, CVE-2023-20871, and CVE-2023-20872, have been privately reported to VMware and have a CVSS v3.x scores between 7.3 and 9.3. VMware noted that one of the flaws, CVE-2023-20869, is a stack-based buffer overflow vulnerability in the functionality for sharing host Bluetooth devices with the virtual machine (VM). A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. VMware has evaluated this bug as being of Critical severity with a maximum CVSS v3.x base score of 9.3. Another vulnerability, CVE-2023-20870, is an out-of-bounds read flaw in the same Bluetooth functionality. VMware has evaluated this vulnerability as Important, with a maximum CVSS v3.x base score of 7.1. VMware noted that CVE-2023-20871, on the other hand, is a local privilege escalation vulnerability in VMware Fusion. VMware has evaluated this vulnerability as Important, with a maximum CVSS v3.x base score of 7.3. Finally, CVE-2023-20872 is an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation in VMware Workstation and Fusion. VMware has evaluated this bug as being of Important severity with a maximum CVSS v3.x base score of 7.7. VMware has released updates and workarounds to remediate these vulnerabilities in the affected products.

Infosecurity reports: "Critical Flaw Patched in VMware Workstation and Fusion"