VMware has fixed zero-day vulnerabilities demonstrated at Pwn2Own 2024.

Recent security updates from VMware have addressed a number of vulnerabilities in their Workstation and Fusion software products for desktop PCs. Among the fixed issues were three zero-day vulnerabilities that were demonstrated at the international security competition Pwn2Own, held in Vancouver in 2024. Details about the vulnerabilities that the company successfully mitigated are presented below.

Vulnerabilities

• The first vulnerability, designated asCVE-2024-22267The issue (with a CVSS rating of 9.3) lies in the use-after-free vulnerability in the Bluetooth device. An individual with local administrative rights on a virtual machine can exploit this vulnerability to execute arbitrary code on behalf of the VMX process of the virtual machine on the host.
• The second vulnerability,CVE-2024-22268The vulnerability (CVSS 7.1) is related to a buffer overflow in the heap memory that occurs while working with shaders. An attacker with access to a virtual machine with 3D graphics support enabled can exploit this vulnerability to create a denial of service condition.
• Third vulnerability,CVE-2024-22269The vulnerability (CVSS 7.1) is related to information leakage through a Bluetooth device.

For users awaiting fixes, the company is offering temporary measures such as disabling Bluetooth support and 3D acceleration until patches are released to address vulnerabilities, includingCVE-2024-22267,CVE-2024-22269andCVE-2024-22270However, the company does not provide any recommendations for mitigating the impact of the vulnerability.CVE-2024-22270.

These vulnerabilities were demonstrated during the Pwn2Own hacking competition in March 2024 by the teams STAR Labs SG and Theori. In an official statement, VMware expressed gratitude to Gwan Jung and Juno Lee from Theori, as well as STAR Labs SG for their independent reporting of the identified issues. Stay updated on security news on Twitter, as well as on Facebook and Mastodon.