VMware fixed four security vulnerabilities in the Workstation and Fusion desktop hypervisors, including three zero-days exploited during the Pwn2Own Vancouver 2024 hacking contest. The most severe flaw patched today is CVE-2024-22267, a use-after-free flaw in the vbluetooth device demoed by the STAR Labs SG and Theori teams.
"A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host," the company explains in a
security advisory published on Tuesday.
VMware also provides a
temporary workaround for admins who cannot immediately install today's security updates. This workaround requires them to turn off the virtual machine's Bluetooth support by unchecking the 'Share Bluetooth devices with the virtual machine' option.
Two more high-severity security bugs tracked as CVE-2024-22269 and CVE-2024-22270, reported by Theori and STAR Labs SG, are information disclosure vulnerabilities that allow attackers with local admin privileges to read privileged information from a virtual machine's hypervisor memory.
