===================================================================== CERT-Renater Note d'Information No. 2023/VULN426 _____________________________________________________________________ DATE : 20/10/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Workstation versions prior to 17.5, VMware Fusion versions prior to 13.5. ===================================================================== https://www.vmware.com/security/advisories/VMSA-2023-0022.html _____________________________________________________________________ Important Advisory ID: VMSA-2023-0022 CVSSv3 Range: 6.6-7.1 Issue Date: 2023-10-19 Updated On: 2023-10-19 (Initial Advisory) CVE(s): CVE-2023-34044, CVE-2023-34045, CVE-2023-34046 Synopsis: VMware Fusion and Workstation updates address privilege escalation and information disclosure vulnerabilities (CVE-2023-34044, CVE-2023-34045, CVE-2023-34046) 1. Impacted Products VMware Workstation Pro / Player (Workstation) VMware Fusion 2. Introduction Multiple security vulnerabilities in VMware Workstation and Fusion were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in the affected VMware products. 3a. Information disclosure vulnerability in bluetooth device-sharing functionality (CVE-2023-34044) Description VMware Workstation and Fusion contain an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1. Known Attack Vectors A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine. Resolution To remediate CVE-2023-34044 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds KB91760 Additional Documentation None Notes This issue exists because Workstation 17.0.2 and Fusion 13.0.2, released on April 25, 2023 did not address CVE-2023-20870 completely. Acknowledgements VMware would like to thank Gwangun Jung (@pr0Ln) at THEORI working with Trend Micro Zero Day Initiative for reporting this issue to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Workstation 17.x Any CVE-2023-34044 7.1 important 17.5 KB91760 None Fusion 13.x OS X CVE-2023-34044 7.1 important 13.5 KB91760 None 3b. VMware Fusion TOCTOU local privilege escalation vulnerability (CVE-2023-34046) Description VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during installation for the first time (the user needs to drag or copy the application to a folder from the '.dmg' volume) or when installing an upgrade. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7. Known Attack Vectors A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed or being installed for the first time. Resolution To remediate CVE-2023-34046 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None Additional Documentation None Notes This will not occur if the user follows the usual process of double-clicking the application in the '.dmg' volume when running the installer for the first time. Acknowledgements VMware would like to thank Mickey Jin (@patch1t) for reporting this issue to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Fusion 13.x OS X CVE-2023-34046 6.7 moderate 13.5 None None 3c. VMware Fusion installer local privilege escalation (CVE-2023-34045) Description VMware Fusion contains a local privilege escalation vulnerability that occurs during installation for the first time (the user needs to drag or copy the application to a folder from the '.dmg' volume) or when installing an upgrade. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.6. Known Attack Vectors A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed or being installed for the first time. Resolution To remediate CVE-2023-34045 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None Additional Documentation None Notes This will not occur if the user follows the usual process of double-clicking the application in the '.dmg' volume when running the installer for the first time. Acknowledgements VMware would like to thank Mickey Jin (@patch1t) for reporting this issue to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Fusion 13.x OS X CVE-2023-34045 6.6 moderate 13.5 None None 4. References Fixed Version(s) and Release Notes: WS Pro 17.5 Downloads and Documentation: https://customerconnect.vmware.com/downloads/info/slug/desktop_end_user_computing/vmware_workstation_pro/17_0 https://docs.vmware.com/en/VMware-Workstation-Pro/17.5/rn/vmware-workstation-175-pro-release-notes/index.html WS Player 17.5 Downloads and Documentation https://customerconnect.vmware.com/downloads/info/slug/desktop_end_user_computing/vmware_workstation_player/17_0 https://docs.vmware.com/en/VMware-Workstation-Player/17.5/rn/vmware-workstation-175-player-release-notes/index.html Fusion 13.5 Downloads and Documentation https://customerconnect.vmware.com/en/downloads/info/slug/desktop_end_user_computing/vmware_fusion/13_0 https://docs.vmware.com/en/VMware-Fusion/13.5/rn/vmware-fusion-135-release-notes/index.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34045 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34046 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34044 FIRST CVSSv3 Calculator: CVE-2023-34045: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVE-2023-34044: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2023-34046: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 5. Change Log 2023-10-19 VMSA-2023-0022 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2023 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================