VMware Workstation and Fusion Buffer Overflow Vulnerability
Key Information
- Vendor
- Vmware
- Status
- VMware Workstation Pro / Player (Workstation) and VMware Fusion
- Vendor
- CVE Published:
- 25 April 2023
Badges
Summary
The CVE-2023-20869 is a critical stack-based buffer overflow vulnerability found in VMware Workstation and Fusion products that could allow a malicious actor with local admin privileges to execute code on the virtual machine's VMX process running on the host. The vulnerability has been patched by VMware, along with three other security vulnerabilities. It was also exploited during the Pwn2Own Vancouver event, earning the contestant $80,000. The patch for the vulnerability was released in late April, and organizations are urged to update their affected products promptly to mitigate the risk of exploitation. The exploitation of the vulnerability could result in unauthorized access and control over affected systems, with potential impacts including data breaches, system compromise, and further spread of malware.
Affected Version(s)
VMware Workstation Pro / Player (Workstation) and VMware Fusion = VMware Workstation (17.x) and VMware Fusion (13.x)
News Articles
Support Content Notification - Support Portal - Broadcom support portal
VMSA-2023-0008:VMware Workstation and Fusion updates address multiple security vulnerabilities Advisory ID: ...
6 months ago
Critical Flaw Patched in VMware Workstation and Fusion
A malicious actor with local admin privileges could exploit the vulnerability to escape from the VM
6 months ago
Zero Day Initiative — CVE-2023-20869/20870: Exploiting VMware Workstation at Pwn2Own Vancouver
This post covers an exploit chain demonstrated by Nguyễn Hoàng Thạch ( @hi_im_d4rkn3ss ) of STAR Labs SG Pte. Ltd. during the Pwn2Own Vancouver event in 2023. During the contest , he used an uninitialized variable bug and a stack-based buffer overflow in VMware to escalate from a guest OS t
1 year ago
CVSS V3.1
Timeline
- 👾
Exploit exists.
First article discovered by Help Net Security
Vulnerability published.
Vulnerability Reserved.