Multiple security flaws have been disclosed in VMware Workstation and Fusion products that could be exploited by threat actors to access sensitive information, trigger a denial-of-service (DoS) condition, and execute code under certain circumstances.
The four vulnerabilities impact Workstation versions 17.x and Fusion versions 13.x, with fixes available in version 17.5.2 and 13.5.2, respectively, the Broadcom-owned virtualization services provider said.
A brief description of each of the flaws is below –
As temporary workarounds until the patches can be deployed, users are advised to turn off the Bluetooth support on the virtual machine and disable 3D acceleration feature. There are no mitigations that address CVE-2024-22270 other than updating to the latest version.
It’s worth noting that CVE-2024-22267, CVE-2024-22269, and CVE-2024-22270 were originally demonstrated by STAR Labs SG and Theori at the Pwn2Own hacking contest held in Vancouver earlier this March.
The advisory comes more than two months after the company released patches to address four security flaws impacting ESXi, Workstation, and Fusion, including two critical flaws (CVE-2024-22252 and CVE-2024-22253, CVSS scores: 9.3/8.4)that could lead to code execution.