Critical Vulnerability in VMware Workstation and Fusion (CVE-2023-20869)

Advisory No: TZCERT/SA/2023/04/28

Date of First Release: 28^th April 2023

Source: VMware

Software Affected: VMware Workstation17.x and VMware Fusion 13.x

Overview:

VMware has released patches to address a critical vulnerability affecting VMware Workstation and VMware Fusion. The vulnerability could allow an attacker to take control of affected system.

Description:

VMware Workstation and VMware Fusion are infected with a stack-based buffer-overflow vulnerability in the functionality for sharing host Bluetooth devices with the virtual machine. The vulnerability allows a malicious an actor with local privilege to execute code as virtual machine’s VMX process running on the host. 

Impact:

Successful exploitation of this vulnerability may allow the attacker to control of the affected system.

Solution:

VMware has released patches for this vulnerability. Users and administrators are encouraged to apply necessary updates.

References:

1. https://www.vmware.com/security/advisories/VMSA-2023-0008.html
2. https://docs.vmware.com/en/VMware-Fusion/13.0.2/rn/vmware-fusion-1302-release-notes/index.html
3. https://docs.vmware.com/en/VMware-Workstation-Pro/17.0.2/rn/vmware-workstation-1702-pro-release-notes/index.html