VMware has released patches for four vulnerabilities affecting two of its products.
The vulnerabilities could be used by malicious actors to steal sensitive information from flawed endpoints, but also to mount denial-of-service (DoS) attacks, and run malicious code.
The vulnerable products are Workstation and Fusion, versions 17.x and 13.x respectively. The earliest fixed versions are 17.5.2 for Workstation, and 13.5.2 for Fusion.
Chinese abuse
The vulnerabilities are tracked as CVE-2024-22267 (severity score 9.3, a use-after-free flaw in Bluetooth), CVE-2024-22268 (severity score 7.1, heap buffer-overflow bug in Shader), CVE-2024-22269 (severity score 7.1, an information disclosure flaw in Bluetooth), and CVE-2024-22270 (severity score 7.1, an information disclosure bug in Host Guest File Sharing).
Due to VMware’s gear being quite popular, it is often targeted by hackers, which is why all users are advised to apply the patches as soon as possible. Those that cannot apply the patch immediately should deploy a workaround, by turning off Bluetooth support on the virtual machine, as well as by disabling 3D acceleration. While these mitigations can help with the majority of the flaws, there is no other fix for CVE-2024-22270 other than the patch.
Earlier this year, it was reported that Chinese state-sponsored hackers known as UNC3886 were abusing a zero-day vulnerability in VMware devices for years.
A report from Mandiant claimed the group used the flaw to deploy malware, steal credentials, and ultimately exfiltrate sensitive data. The patch for the flaw was released in late October 2023. Two months ago, VMware patched two critical vulnerabilities in its ESXi, Workstation, and Fusion products.
These vulnerabilities, however, were first reported to VMware by Gwangun Jung & Junoh Lee of Theori and STAR Labs SG, during the Pwn2Own 2024 Security Contest, the company acknowledged.
Via The Hacker News