VMware mounted 4 safety vulnerabilities within the Workstation and Fusion desktop hypervisors, together with three zero-days exploited throughout the Pwn2Own Vancouver 2024 hacking contest.
Probably the most extreme flaw patched right this moment is CVE-2024-22267, a use-after-free flaw within the vbluetooth gadget demoed by the STAR Labs SG and Theori groups.
“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” the corporate explains in a safety advisory revealed on Tuesday.
VMware additionally supplies a momentary workaround for admins who can’t instantly set up right this moment’s safety updates. This workaround requires them to show off the digital machine’s Bluetooth help by unchecking the ‘Share Bluetooth units with the digital machine’ choice.
Two extra high-severity safety bugs tracked as CVE-2024-22269 and CVE-2024-22270, reported by Theori and STAR Labs SG, are data disclosure vulnerabilities that enable attackers with native admin privileges to learn privileged data from a digital machine’s hypervisor reminiscence.
The fourth VMware Workstation and Fusion vulnerability mounted right this moment (tracked as CVE-2024-22268) is brought on by a heap buffer overflow weak point within the Shader performance. A safety researcher additionally reported it by way of Development Micro’s Zero Day Initiative.
“A malicious actor with non-administrative access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to create a denial of service condition,” VMware says.
Nevertheless, efficiently exploiting this safety flaw requires 3D graphics to be enabled on the focused digital machine.
Pwn2Own Vancouver 2024 outcomes
Safety researchers collected $1,132,500 after demoing 29 zero-days (and a few bug collisions) at this 12 months’s Vancouver hacking competitors, whereas Manfred Paul emerged because the winner with $202,500 in money after taking down the Apple Safari, Google Chrome, and Microsoft Edge internet browsers.
Throughout the contest, the STAR Labs SG group earned $30,000 after chaining two VMware Workstation safety flaws to realize distant code execution.
Theori safety researchers Gwangun Jung and Junoh Lee additionally went residence with $130,000 in money for escaping a VMware Workstation VM to realize code execution as SYSTEM on the host Home windows OS utilizing an exploit chain focusing on three vulnerabilities: an uninitialized variable bug, a UAF weak point, and a heap-based buffer overflow.
Google and Mozilla additionally mounted a number of zero-days exploited at Pwn2Own Vancouver 2024 inside days after the competition ended, with Mozilla releasing patches in the future later and Google after simply 5 days.
Nevertheless, distributors usually take their time to repair safety flaws demonstrated at Pwn2Own, as they’ve 90 days to push patches earlier than Development Micro’s Zero Day Initiative publicly discloses bug particulars.
