Broadcom Releases Security Updates for VMware Workstation and VMware Fusion

Advisory addresses four security vulnerabilities

Threat ID:: CC-4493
Threat Severity:: Medium
Published:: 15 May 2024 4:25 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Advisory addresses four security vulnerabilities

Affected platforms

The following platforms are known to be affected:

VMware Workstation Pro & Player

VMware Fusion & Fusion Pro

Threat details

New location for VMware advisories

As of 6 May 2024, all past and future VMware Security Advisories will be hosted on the Broadcom Support Portal. This VMware Security Advisory web page will not be updated after that date.

Exception: VMware Security Advisories with content that is only relevant to products in the End User Computing division (e.g., Workspace ONE UEM) will continue to be hosted on the VMware site.

Introduction

Broadcom has released an advisory that addresses four security vulnerabilities in VMware Workstation and VMware Fusion. VMware Workstation is a line of desktop hypervisor products that let users run virtual machines, containers, and Kubernetes clusters and VMware Fusion is the hypervisor developed for macOS systems.

CVE-2024-22267 An attacker with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
CVE-2024-22268 An attacker with non-administrative access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to create a denial-of-service condition.
CVE-2024-22269 An attacker with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.
CVE-2024-22270 An attacker with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.

Remediation advice

Affected organisations are encouraged to review Broadcom's VMware advisory VMSA-2024-0010 and apply the relevant updates.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2024-22267

VMware Workstation and Fusion contain a use-after-free vulnerability in the vbluetooth device. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.

Status Published

CVE-2024-22268

VMware Workstation and Fusion contain a heap buffer-overflow vulnerability in the Shader functionality. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Status Published

CVE-2024-22269

VMware Workstation and Fusion contain an information disclosure vulnerability in the vbluetooth device. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Status Published

CVE-2024-22270

VMware Workstation and Fusion contain an information disclosure vulnerability in the Host Guest File Sharing (HGFS) functionality. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Last edited: 15 May 2024 4:25 pm