VMware has released security updates to address zero-day vulnerabilities that could be chained to gain code execution systems running unpatched versions of the company's Workstation and Fusion software hypervisors.

The released security updates are VMware Workstation and Fusion, which include zero-day vulnerabilities:

• CVE-2023-20869: Stack-based buffer-overflow vulnerability in Bluetooth device-sharing functionality.

• CVE-2023-20870: Information disclosure vulnerability in Bluetooth device-sharing functionality.

• CVE-2023-20871: VMware Fusion Raw Disk local privilege escalation vulnerability

• CVE-2023-20872: Out-of-bounds read/write vulnerability

Affected Systems

• VMware Workstation Pro / Player (Workstation)

• VMware Fusion

Security Risks

The identified vulnerabilities pose significant security risks that could lead to data loss, service interruptions or the compromise of sensitive information. It is crucial to install the necessary updates to mitigate these risks and ensure the security of the affected systems.

Recommended Actions

The National Cyber Security Authority (NCSA) strongly recommends to system administrators to:

• Follow VMware advisory to lower the risk of potential exploits, protect systems, and ensure their security.

• Apply the required and latest security updates as soon as possible.

The released software versions to upgrade to are the following:

• VMware Workstation Pro / Player Version 17.0.2, or later : For windows, macOS, unix.

• VMware Fusion Version 13.0.2, or later : for macOS

• Before any update task, please ensure you have a recent backup that can easily be restored.

For further information and support, please contact NCSA by email at rwcsirt@ncsa.gov.rw or call us on 9009.

References

For advisories addressing lower severity vulnerabilities, see VMware Security advisories:

https://www.vmware.com/security/advisories/VMSA-2023-0008.html

https://www.vmware.com/security/advisories.html