"Critical Flaw Patched in VMware Workstation and Fusion"

VMware has recently addressed multiple security vulnerabilities in its Workstation and Fusion products.  The vulnerabilities, identified as CVE-2023-20869, CVE-2023-20870, CVE-2023-20871, and CVE-2023-20872, have been privately reported to VMware and have a CVSS v3.x scores between 7.3 and 9.3.  VMware noted that one of the flaws, CVE-2023-20869, is a stack-based buffer overflow vulnerability in the functionality for sharing host Bluetooth devices with the virtual machine (VM).  A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.  VMware has evaluated this bug as being of Critical severity with a maximum CVSS v3.x base score of 9.3.  Another vulnerability, CVE-2023-20870, is an out-of-bounds read flaw in the same Bluetooth functionality.  VMware has evaluated this vulnerability as Important, with a maximum CVSS v3.x base score of 7.1.  VMware noted that CVE-2023-20871, on the other hand, is a local privilege escalation vulnerability in VMware Fusion.  VMware has evaluated this vulnerability as Important, with a maximum CVSS v3.x base score of 7.3.  Finally, CVE-2023-20872 is an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation in VMware Workstation and Fusion.  VMware has evaluated this bug as being of Important severity with a maximum CVSS v3.x base score of 7.7.  VMware has released updates and workarounds to remediate these vulnerabilities in the affected products. 

Infosecurity reports: "Critical Flaw Patched in VMware Workstation and Fusion"