VMSA-2023-0022

VMware Security Advisory

Important

Advisory ID:
VMSA-2023-0022

CVSSv3 Range:
6.6-7.1

Issue Date:
2023-10-19

Updated On:
2023-10-19 (Initial Advisory)

CVE(s):
CVE-2023-34044, CVE-2023-34045, CVE-2023-34046

Synopsis:
VMware Fusion and Workstation updates address privilege escalation and information disclosure vulnerabilities (CVE-2023-34044, CVE-2023-34045, CVE-2023-34046)

1. Impacted Products

VMware Workstation Pro / Player (Workstation)
VMware Fusion

2. Introduction

Multiple security vulnerabilities in VMware Workstation and Fusion were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in the affected VMware products.

3a. Information disclosure vulnerability in bluetooth device-sharing functionality (CVE-2023-34044)

Description

VMware Workstation and Fusion contain an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.

Resolution

To remediate CVE-2023-34044 update to the version listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds

KB91760

Additional Documentation

None

Notes

This issue exists because Workstation 17.0.2 and Fusion 13.0.2, released on April 25, 2023 did not address CVE-2023-20870 completely.

Acknowledgements

VMware would like to thank Gwangun Jung (@pr0Ln) at THEORI working with Trend Micro Zero Day Initiative for reporting this issue to us.

Response Matrix

Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation

Workstation

17.x

Any

CVE-2023-34044

7.1

important

17.5

KB91760

None

Fusion

13.x

OS X

CVE-2023-34044

7.1

important

13.5

KB91760

None

3b. VMware Fusion TOCTOU local privilege escalation vulnerability (CVE-2023-34046)

Description

VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during installation for the first time (the user needs to drag or copy the application to a folder from the ‘.dmg’ volume) or when installing an upgrade. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7.

Known Attack Vectors

A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed or being installed for the first time.

Resolution

To remediate CVE-2023-34046 update to the version listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds

None

Additional Documentation

None

Notes

This will not occur if the user follows the usual process of double-clicking the application in the ‘.dmg’ volume when running the installer for the first time.
 

Acknowledgements

VMware would like to thank Mickey Jin (@patch1t) for reporting this issue to us.

Response Matrix

Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation

Fusion

13.x

OS X

CVE-2023-34046

6.7

moderate

13.5

None

None

3c. VMware Fusion installer local privilege escalation (CVE-2023-34045)

Description

VMware Fusion contains a local privilege escalation vulnerability that occurs during installation for the first time (the user needs to drag or copy the application to a folder from the ‘.dmg’ volume) or when installing an upgrade. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.6.

Known Attack Vectors

A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed or being installed for the first time.

Resolution

To remediate CVE-2023-34045 update to the version listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds

None

Additional Documentation

None

Notes

This will not occur if the user follows the usual process of double-clicking the application in the ‘.dmg’ volume when running the installer for the first time.
 

Acknowledgements

VMware would like to thank Mickey Jin (@patch1t) for reporting this issue to us.

Response Matrix

Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation

Fusion

13.x

OS X

CVE-2023-34045

6.6

moderate

13.5

None

None

4. References

Fixed Version(s) and Release Notes:
WS Pro 17.5
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/info/slug/desktop_end_user_computing/vmware_workstation_pro/17_0
https://docs.vmware.com/en/VMware-Workstation-Pro/17.5/rn/vmware-workstation-175-pro-release-notes/index.html
WS Player 17.5
Downloads and Documentation
https://customerconnect.vmware.com/downloads/info/slug/desktop_end_user_computing/vmware_workstation_player/17_0
https://docs.vmware.com/en/VMware-Workstation-Player/17.5/rn/vmware-workstation-175-player-release-notes/index.html
Fusion 13.5
Downloads and Documentation
https://customerconnect.vmware.com/en/downloads/info/slug/desktop_end_user_computing/vmware_fusion/13_0
https://docs.vmware.com/en/VMware-Fusion/13.5/rn/vmware-fusion-135-release-notes/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34045 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34046 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34044
 
FIRST CVSSv3 Calculator: CVE-2023-34045: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CVE-2023-34044:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVE-2023-34046: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

5. Change Log

2023-10-19 VMSA-2023-0022 Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 
 
This Security Advisory is posted to the following lists:  
security-announce@lists.vmware.com  
bugtraq@securityfocus.com  
fulldisclosure@seclists.org 
 
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055 
 
VMware Security Advisories
https://www.vmware.com/security/advisories 
 
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html 
 
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html 
 
VMware Security & Compliance Blog  
https://blogs.vmware.com/security 
 
Twitter

 
Copyright 2023 VMware Inc. All rights reserved.  

CLICK FOR MORE INFORMATION