Update now: Critical flaw in VMWare Fusion and VMWare Workstation
VMware has fixed four vulnerabilities in its virtualization software, including two that were exploited at the 2023 Pwn2Own contest. Three of these vulnerabilities have been given an "Important" severity rating, while the last one (CVE-2023-20869) is classified as "Critical". The four vulnerabilities are as follows: 1. CVE-2023-20869: A "Critical" flaw affecting Fusion and Workstation, involving a stack-based buffer overflow issue in the functionality for sharing host Bluetooth devices with the virtual machine. 2. CVE-2023-20870: An "Important" flaw affecting Fusion and Workstation, related to sharing host Bluetooth devices, which allows an attacker to potentially read privileged information stored in the virtual machine's hypervisor memory. 3. CVE-2023-20871: An "Important" flaw affecting only Fusion, enabling an attacker with read/write access to the host operating system to elevate their privileges and gain root access to the host operating system. 4. CVE-2023-20872: An "Important" flaw affecting Fusion and Workstation, allowing virtual machines with a physical CD/DVD drive attached to execute code on the hypervisor if the drive is configured to use a virtual SCSI controller. All four issues can be addressed by updating to the latest version of the affected software, which are VMware Fusion 13.0.2 and VMware Workstation 17.0.2. Workarounds are available for CVE-2023-20869, CVE-2023-20870, and CVE-2023-20872. These include turning off Bluetooth support, removing the CD/DVD device from the virtual machine, or configuring the virtual machine not to use a virtual SCSI controller. CVEs: CVE-2023-20870, CVE-2023-20871, CVE-2023-20872, CVE-2023-20869 [View Article](https://www.malwarebytes.com/blog/news/2023/04/update-now-vmware-issues-updates-for-multiple-vulnerabilities)