Table of Contents
  • Home
  • /
  • Blog
  • /
  • How to Patch Four New Vulnerabilities in VMWare Workstation and Fusion?
April 28, 2023
|
7m

How to Patch Four New Vulnerabilities in VMWare Workstation and Fusion?


How To Patch Four New Vulnerabilities In Vmware Workstation And Fusion

Four new vulnerabilities in VMware Workstation and Fusion have been reported recently. These vulnerabilities are CVE-2023-20872, CVE-2023-20871, CVE-2023-20870, and CVE-2023-20869. The first two vulnerabilities have been reported by Trend Micro’s Zero Day Initiative, while the other two were reported to VMware directly by the researchers who discovered them.  

In this blog post, you will learn the details of each vulnerability, the products affected by them, and how to patch these in the affected products. 

A Short Introduction About VMWare Workstation and Fusion

VMware offers two desktop virtualization options: Fusion for macOS, and Workstation for Linux and Windows OSes. Both Fusion and Workstation are designed to run desktop virtualization software. Below is a short description for each: 

VMware Workstation

VMware Workstation is a suite of Desktop Hypervisor products to help you run containers, virtual machines, and Kubernetes clusters. While using Linux or Windows, you need to run a different OS, and that can be done via VMware Workstation

You can also share access to VMs with your co-workers via LAN without needing to purchase new hardware. There are two different clone features of Workstation: 

  • Linked Clones: You can duplicate a VM and save physical disk space. 

  • Full Clones: You can create fully isolated duplicates that you can share with others. 

VMware Fusion

VMware Fusion enables you to run other OSes on your Mac. With Fusion, you can easily install and run software that is not normally available on Mac. You also get some paid software for free if it’s also free for another OS. 

Summary of the Four New Vulnerabilities in VMWare Workstation and Fusion

CVE-2023-20869

  • Severity: Critical

  • CVSS score: 9.3 

  • Vector: Currently, analysts have not associated any vector for this vulnerability. 

CVE-2023-20869 is a security vulnerability found in VMware Workstation (versions 17. x) and VMware Fusion (versions 13. x). This vulnerability is classified as critical and involves a stack-based buffer-overflow issue that occurs when sharing host Bluetooth devices with a virtual machine. 

Attackers who have local administrative privileges can exploit this vulnerability to execute code as the VMX process of the virtual machine on the host system. VMware has provided this information and advised users to take appropriate measures to mitigate the risk of exploitation.

CVE-2023-20870

  • Severity: High

  • CVSS score: 7.1

  • Vector: Currently, analysts have not associated any vector for this vulnerability. 

CVE-2023-20870 is an out-of-bounds read vulnerability with similar features as CVE-2023-20869. When malicious actors with local administrative privileges on a virtual machine exploit the vulnerability, they can read the privileged information contained in the hypervisor memory. 

CVE-2023-20871

  • Severity: High

  • CVSS score: 7.3

  • Vector: Currently, analysts have not associated any vector for this vulnerability. 

A local privilege escalation vulnerability, CVE-2023-20871, only affects VMware fusion. When exploited, this vulnerability could allow a threat actor that has read/write access to the host operating system, to get into root access. 

CVE-2023-20872

  • Severity: High

  • CVSS score: 7.7

  • Vector: Currently, analysts have not associated any vector for this vulnerability. 

The vulnerability identified as CVE-2023-20872 is related to out-of-bounds read/write issues in the emulation of SCSI CD/DVD devices. An attacker could potentially exploit this vulnerability to execute code on the hypervisor from a virtual machine. 

However, to perform this attack, the attacker must have access to a virtual machine with a physical CD/DVD drive connected and set up to use a virtual SCSI controller.

Affected VMWare Products

Following are the two versions affected by these vulnerabilities: 

ProductsVersions 
VMware Workstation Pro v17. x 
VMware Fusion V13. x.

How to Patch Four New Vulnerabilities in VMWare Workstation and Fusion?

To patch the vulnerabilities in the affected product versions, update:

  • VMware Workstation Pro v17.x to Pro v17.2

  • Vmware Fusion v13.x. to VMware Fusion v13.2

Some workaround is also available for all vulnerabilities except for CVE-2023-20871:

  • To mitigate CVE-2023-20869 and CVE-2023-20870 vulnerabilities, it is recommended to disable Bluetooth support on the affected virtual machine. 

  • For CVE-2023-20872, users can remove the CD/DVD device from the virtual machine or configure the virtual machine to not use the SCSI controller.

How to Upgrade VMWare Workstation to v17.2?

Upgrading to the latest version of Workstation Pro from a previous version is simple and straightforward. All you need to do is run the installation program, and the previous version of Workstation Pro will be uninstalled automatically before installing the new version.

However, to fully enjoy the latest features, any virtual machines that were created in the previous versions of Workstation should be upgraded to the current version of Workstation Pro.

Step 1. Check the Current Version

Open VMware Workstation on your computer.Click on the “Help” menu in the top navigation bar.Select “About VMware Workstation” from the dropdown menu.A pop-up window will appear showing the current version of VMware Workstation.

Step 2. Download the Latest Version

Open your web browser and select the version of VMware Workstation that matches your operating system.Click on the “Download Now” button to start downloading the installer file.

Step 3. Install VMware Workstation 17.2

Navigate to the folder where the installer file was downloaded.Double-click on the installer file to launch the installation wizard.Follow the on-screen instructions to complete the installation process.Once the installation is complete, restart your computer.

Step 4. Verify the Upgrade

Open VMware Workstation on your computer.Click on the “Help” menu in the top navigation bar.Select “About VMware Workstation” from the dropdown menu.A pop-up window will appear showing the new version number of the VMware Workstation.

How to Upgrade VMWare Fusion to v13.2?

Below are the steps that you can follow to upgrade VMware Fusion to v13.2: 

1. Check Compatibility

Before upgrading to VMWare Fusion v13.2, make sure that your Mac meets the minimum system requirements for the new version.

2. Download the Upgrade

Download the VMWare Fusion v13.2 upgrade from the official VMWare website.

3. Install the Upgrade

Once the download is complete, double-click the installation file and follow the on-screen instructions to install the upgrade. You may need to enter your admin username and password.

4. Restart VMWare Fusion

After the installation is complete, restart VMWare Fusion to finalize the upgrade.

5. Verify the Upgrade

Once VMWare Fusion is up and running, verify that the new version (v13.2) is installed and working correctly. Check the version number in the “About VMWare Fusion” section to confirm the upgrade.

Wrap up

Patching these four new vulnerabilities in VMware Workstation and Fusion is critical to the integrity and security of virtual machines. These vulnerabilities include out-of-bounds read/write, local privilege escalation vulnerabilities, and stack-based buffer-overflow vulnerabilities. Upgrading the Workstation and Fusion products to the latest versions can significantly reduce the risk of cyber-attacks and data breaches on virtual machines. 

We hope this post would help you know know how to patch four new vulnerabilities in VMWare Workstation and Fusion. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, Medium & Instagram, and subscribe to receive updates like this. 

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Vulnerabilities

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe