VMware has patched a critical Bluetooth bug in its Workstation Pro, Workstation Player, and Fusion products, disclosed by STAR Labs at Pwn2Own.
The vendor’s advisory explains that CVE-2023-20869 is a stack-based overflow in the Bluetooth device-sharing functionality.
Even though it’s only exploitable by an attacker with local virtual machine admin privileges, the company still rated the bug as “critical”, with a CVSS score of 9.3.
An attacker could “exploit this issue to execute code as the virtual machine's VMX process running on the host”, the company said.
The advisory also details several other bugs attributed to STAR Labs, rated as “high” severity.
CVE-2023-20870 is an information disclosure vulnerability due to an out-of-bounds read, giving the attacker a vector to read privileged information in hypervisor memory.
CVE-2023-20871 only affects Fusion. It’s a local privilege escalation bug that lets an attacker get root access to the host operating system.
Finally, CVE-2023-20872 is an out-of-bounds read in the software’s SCSI CD/DVD emulation.
“A malicious attacker with access to a virtual machine that has a physical CD/DVD drive attached and configured to use a virtual SCSI controller may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine,” the advisory stated.
Vulnerable versions of Workstation are in the 17.x branch and have been patched in 17.0.2, while the Fusion 13.x branch has been patched in 13.0.2.
