=====================================================================

                             CERT-Renater

                  Note d'Information No. 2023/VULN050

_____________________________________________________________________

DATE                : 03/02/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware Workstation versions
                                   prior to 17.0.1.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2023-0003.html
_____________________________________________________________________


Advisory ID: VMSA-2023-0003
CVSSv3 Range: 7.8
Issue Date: 2023-02-02
Updated On: 2023-02-02 (Initial Advisory)
CVE(s): CVE-2023-20854
Synopsis: VMware Workstation update addresses an arbitrary file
deletion vulnerability (CVE-2023-20854)


1. Impacted Products

   o VMware Workstation


2. Introduction

An arbitrary file deletion vulnerability in VMware
Workstation was privately reported to VMware. Updates
are available to remediate this vulnerability in the
affected VMware product.


3. Arbitrary file deletion vulnerability (CVE-2023-20854)


Description

VMware Workstation contains an arbitrary file deletion vulnerability.
VMware has evaluated the severity of this issue to be in the Important
severity range with a maximum CVSSv3 base score of 7.8.

Known Attack Vectors

A malicious actor with local user privileges on the victim's machine
may exploit this vulnerability to delete arbitrary files from the
file system of the machine on which Workstation is installed.


Resolution

To remediate CVE-2023-20854 update to the version listed in the
'Fixed Version' column of the 'Response Matrix' found below.


Workarounds

None.


Additional Documentation

None.


Notes

None.


Acknowledgements

VMware would like to thank Frederik Reiter of cirosec GmbH for
reporting this issue to us.

Response Matrix

Product   Version    Running On   CVE Identifier    CVSSv3
Severity    Fixed Version    Workarounds   Additional Documentation

VMware
Workstation    17.x   Windows    CVE-2023-20854    7.8   important
17.0.1    None    None


4. References

Fixed Version(s) and Release Notes:

VMware Workstation 17.0.1:
Downloads and Documentation:
https://customerconnect.vmware.com/en/downloads/info/slug/
desktop_end_user_computing/vmware_workstation_pro/17_0
https://docs.vmware.com/en/VMware-Workstation-Pro/17.0.1/rn/
vmware-workstation-1701-pro-release-notes/index.html

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20854

FIRST CVSSv3 Calculator:
CVE-2023-20854: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:L/UI:N/S:U/C:H/I:H/A:H


5. Change Log

2023-02-02 VMSA-2023-0003
Initial security advisory.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================