VMware has released patches for four vulnerabilities affecting two of its products.
The vulnerabilities can be used by malicious actors to steal sensitive information from flawed endpoints, as well as to conduct denial-of-service (DoS) attacks and execute malicious code.
The vulnerable products are Workstation and Fusion, versions 17.x and 13.x respectively. The first fixed versions are 17.5.2 for Workstation and 13.5.2 for Fusion.
Chinese abuse
The vulnerabilities are tracked as CVE-2024-22267 (severity score 9.3, a use-after-free bug in Bluetooth), CVE-2024-22268 (severity score 7.1, heap buffer overflow bug in Shader), CVE- 2024-22269 (severity score 7.1, an information disclosure flaw in Bluetooth) and CVE-2024-22270 (severity score 7.1, an information disclosure flaw in host guest file sharing).
Because VMware equipment is quite popular, it is often targeted by hackers. Therefore, all users are advised to apply the patches as soon as possible. Those who cannot immediately apply the patch should work around it by disabling Bluetooth support on the virtual machine and by disabling 3D acceleration. While these fixes can help with the majority of bugs, there is no fix for CVE-2024-22270 other than the patch.
Earlier this year, it was reported that Chinese state hackers known as UNC3886 had been exploiting a zero-day vulnerability in VMware devices for years.
A report from Mandiant claimed that the group used the flaw to deploy malware, steal credentials, and ultimately exfiltrate sensitive data. The patch for the bug was released in late October 2023. Two months ago, VMware patched two critical vulnerabilities in its ESXi, Workstation and Fusion products.
However, these vulnerabilities were first reported to VMware by Gwangun Jung & Junoh Lee of Theori and STAR Labs SG, during the Pwn2Own 2024 Security Contest, the company acknowledged.
Through The hacker news