======================================================================

                                 CERT-Renater

                       Note d'Information No. 2024/VULN236
_____________________________________________________________________

DATE                : 14/05/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware Workstation versions
                       prior to 17.5.2,
                      VMware Fusion versions prior to 13.5.2.

=====================================================================
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280
_____________________________________________________________________

VMware Workstation and Fusion updates address multiple security
vulnerabilities (CVE-2024-22267, CVE-2024-22268, CVE-2024-22269,
CVE-2024-22270)

Product/Component

VMware Fusion
VMware Workstation Player
VMware Workstation Pro

Notification Id
24280

Last Updated
14 May 2024

Initial Publication Date
14 May 2024

Status
CLOSED

Severity
CRITICAL

CVSS Base Score
7.1-9.3

WorkAround
None

Affected CVE
CVE-2024-22267, CVE-2024-22268, CVE-2024-22269, CVE-2024-22270

Advisory ID:  	        VMSA-2024-0010
Advisory Severity: 	Critical
CVSSv3 Range: 	        7.1-9.3
Synopsis: 	      VMware Workstation and Fusion updates address
                   multiple security vulnerabilities (CVE-2024-22267,
                   CVE-2024-22268, CVE-2024-22269, CVE-2024-22270)
Issue date: 	2024-05-14
Updated on: 	2024-05-14 (Initial Advisory)
CVE(s) 	CVE-2024-22267, CVE-2024-22268, CVE-2024-22269, CVE-2024-22270

  1. Impacted Products

     VMware Workstation Pro / Player (Workstation)
     VMware Fusion

2. Introduction

Multiple security vulnerabilities in VMware Workstation and Fusion
were privately reported to VMware. Updates and workarounds are
available to remediate these vulnerabilities in the affected VMware
products.

3a. VMware Workstation and Fusion vbluetooth use-after-free
     vulnerability (CVE-2024-22267)
Description: VMware Workstation and Fusion contain a use-after-free 
vulnerability
in the vbluetooth device. VMware has evaluated the severity of this
issue to be in the Critical severity range with a maximum CVSSv3
base score of 9.3.

Known Attack Vectors:
A malicious actor with local administrative privileges on a virtual
machine may exploit this issue to execute code as the virtual
machine's VMX process running on the host.

Resolution: To remediate CVE-2024-22267 update to the version listed in the
'Fixed Version' column of the 'Response Matrix' found below.

Workarounds:
Workarounds for CVE-2024-22267 have been listed in the
'Workarounds' column of the 'Response Matrix' below.

Additional Documentation:
None

Acknowledgments:
VMware would like to thank Gwangun Jung (@pr0ln) & Junoh Lee
(@bbbig12) of Theori (@theori_io) and STAR Labs SG working with
the Pwn2Own 2024 Security Contest for independently reporting
this issue to us.

Notes:
None

Response Matrix:

VMware Product   Version   Running On   CVE   CVSSv3   Severity
Fixed Version   Workarounds   Additional Documentation

Workstation 	17.x 	Any 	CVE-2024-22267 	9.3 	Critical 17.5.2 	KB91760 
None
Fusion 	13.x 	OS X 	CVE-2024-22267 	9.3   Critical   13.5.2 KB91760 	None


3b. VMware Workstation and Fusion Shader heap buffer-overflow
vulnerability (CVE-2024-22268)
Description: VMware Workstation and Fusion contain a heap buffer-overflow
vulnerability in the Shader functionality. VMware has evaluated the
severity of this issue to be in the Important severity range with a
maximum CVSSv3 base score of 7.1.

Known Attack Vectors: A malicious actor with non-administrative access 
to a virtual machine
with 3D graphics enabled may be able to exploit this vulnerability to
create a denial of service condition.

Resolution: To remediate CVE-2024-22268 update to the version listed in the
'Fixed Version' column of the 'Response Matrix' found below.

Workarounds:
Workarounds for CVE-2024-22268 have been listed in the 'Workarounds'
column of the 'Response Matrix' below.

Additional Documentation:
None

Acknowledgments: VMware would like to thank Pwn2car working with Trend 
Micro Zero Day
Initiative for reporting this issue to us.

Notes:
Successful exploitation of this issue requires 3D graphics to be
enabled on the virtual machine.

Response Matrix:

VMware Product   Version   Running On   CVE  CVSSv3   Severity
Fixed Version   Workarounds   Additional Documentation

Workstation 	17.x 	Windows 	CVE-2024-22268 	7.1 Important 	17.5.2 
KB59146 	None

Fusion 	13.x 	OS X 	CVE-2024-22268 	7.1 	Important 13.5.2 	KB59146 	None

  3c. VMware Workstation and Fusion vbluetooth information disclosure
vulnerability (CVE-2024-22269)
Description: VMware Workstation and Fusion contain an information disclosure
vulnerability in the vbluetooth device. VMware has evaluated the
severity of this issue to be in the Important severity range with
a maximum CVSSv3 base score of 7.1.

Known Attack Vectors:
A malicious actor with local administrative privileges on a virtual
machine may be able to read privileged information contained in
hypervisor memory from a virtual machine.

Resolution: To remediate CVE-2024-22269 update to the version listed in the
'Fixed Version' column of the 'Response Matrix' found below.

Workarounds:
Workarounds for CVE-2024-22269 have been listed in the 'Workarounds'
column of the 'Response Matrix' below.

Additional Documentation:
None

Acknowledgments: VMware would like to thank Gwangun Jung (@pr0ln) & 
Junoh Lee (@bbbig12)
of Theori (@theori_io) working with the Pwn2Own 2024 Security Contest
for reporting this issue to us.

Notes:
None

Response Matrix:

VMware Product   Version   Running On   CVE   CVSSv3   Severity
Fixed Version   Workarounds   Additional Documentation

Workstation 	17.x 	Any 	CVE-2024-22269 	7.1 	Important 17.5.2 	KB91760 	None

Fusion 	13.x 	OS X 	CVE-2024-22269 	7.1 	Important 13.5.2 	KB91760 	None

  3d. VMware Workstation and Fusion HGFS information disclosure
vulnerability (CVE-2024-22270)
Description: VMware Workstation and Fusion contain an information disclosure
vulnerability in the Host Guest File Sharing (HGFS) functionality.
VMware has evaluated the severity of this issue to be in the
Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors:
A malicious actor with local administrative privileges on a virtual
machine may be able to read privileged information contained in
hypervisor memory from a virtual machine.

Resolution: To remediate CVE-2024-22270 update to the version listed in the
'Fixed Version' column of the 'Response Matrix' found below.

Workarounds:
None

Additional Documentation:
None

Acknowledgments: VMware would like to thank STAR Labs SG working with 
the Pwn2Own
2024 Security Contest for reporting this issue to us.

Notes:
None.

Response Matrix:

VMware Product   Version    Running On   CVE   CVSSv3   Severity
Fixed Version   Workarounds   Additional Documentation

Workstation 	17.x 	Any 	CVE-2024-22270 	7.1 	Important 17.5.2 	None 	None

Fusion 	13.x 	OS X 	CVE-2024-22270 	7.1 	Important 13.5.2 	None 	None

  4. References:

Fixed Version(s) and Release Notes:

Workstation Pro 17.5.2
Downloads and Documentation
https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware%20Workstation%20Pro
https://docs.vmware.com/en/VMware-Workstation-Pro/17.5.2/rn/vmware-workstation-1752-pro-release-notes/index.html

Fusion 13.5.2
Downloads and Documentation
https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware%20Fusion
https://docs.vmware.com/en/VMware-Fusion/13.5.2/rn/vmware-fusion-1352-release-notes/index.html

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22267 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22268 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22269 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22270
FIRST CVSSv3 Calculator:
CVE-2024-22267: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2024-22268: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2024-22269: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVE-2024-22270: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N


5. Change Log:

2024-05-14 VMSA-2024-0010
Initial security advisory.


6. Contact:

E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

Copyright 2024 Broadcom All rights reserved.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================