Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Multiple Vulnerabilities in VMWare Workstation and Fusion
Alerts

Multiple Vulnerabilities in VMWare Workstation and Fusion

17 May 2024

VMware has released security updates addressing multiple vulnerabilities (CVE-2024-22267, CVE-2024-22268, CVE-2024-22269 and CVE-2024-22270) affecting their Workstation and Fusion products.

The vulnerabilities are:

  • CVE-2024-22267: A use-after-free vulnerability in the Bluetooth device that could be exploited by a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host

  • CVE-2024-22268: A heap buffer-overflow vulnerability in the Shader functionality that could be exploited by a malicious actor with non-administrative access to a virtual machine with 3D graphics enabled to create a denial-of-service (DoS) condition

  • CVE-2024-22269: An information disclosure vulnerability in the Bluetooth device that could be exploited by a malicious actor with local administrative privileges on a virtual machine to read privileged information contained in hypervisor memory from a virtual machine

  • CVE-2024-22270: An information disclosure vulnerability in the Host Guest File Sharing (HGFS) functionality that could be exploited by a malicious actor with local administrative privileges on a virtual machine to read privileged information contained in hypervisor memory from a virtual machine

The vulnerabilities affect the following products:

  • Workstation versions earlier than 17.5.2

  • Fusion versions earlier than 13.5.2

Users and administrators of affected products are advised to update to the latest versions immediately.

Users and administrators who are unable to update their affected products immediately are advised to turn off the Bluetooth support on the virtual machine and disable 3D acceleration feature as a mitigation measure for CVE-2024-22267, CVE-2024-22268 and CVE-2024-22269. There are no mitigations that address CVE-2024-22270 apart from updating to the latest version.

More information is available here:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280

https://thehackernews.com/2024/05/vmware-patches-severe-security-flaws-in.html

https://www.bleepingcomputer.com/news/security/vmware-fixes-three-zero-day-bugs-exploited-at-pw

Back to top