VMware released security updates to address zero-day vulnerabilities that could be chained together to get code execution systems running unpatched versions of the company’s Workstation and Fusion software hypervisors.

The two flaws were part of a chain of exploitation demo by security researchers from the STAR Labs team a month ago, on day two of the Pwn2Own Vancouver 2023 hacking contest.

Vendors have 90 days to fix zero-day bugs exploited and disclosed during Pwn2Own before Trend Micro’s Zero Day initiative releases technical details.

The first vulnerability (CVE-2023-20869) is a stack-based buffer overflow vulnerability in the Bluetooth Device Sharing feature that allows local attackers to execute code as a virtual machine VMX process running on the host.

The second bug fixed today (CVE-2023-20870) is an information disclosure weakness in the feature for sharing host Bluetooth devices with the VM, which allows malicious actors to read privileged information contained in the memory of the hypervisor from a VM.

VMware also shared a temporary workaround for administrators who cannot immediately deploy fixes for both flaws to their systems.

To remove the attack vector, you can also disable Bluetooth support on the virtual machine by unchecking the “Share Bluetooth devices with the virtual machine” option on the affected devices (more details on how to do this can be found here).

Hit! @starlabs_sg used an uninitialized variable and UAF against VMWare Workstation. They win $80,000 and 8 Master of Pwn points, pushing the prize total for #P2OVancouver spent $1,000,000. #Pwn2Own pic.twitter.com/DEjgYcmphH

— Zero Day Initiative (@thezdi) March 24, 2023

The company today patched two more security vulnerabilities affecting VMware Workstation and Fusion hosted hypervisors.

CVE-2023-20871 is a high-severity VMware Fusion Raw Disk local elevation of privilege vulnerability that can be exploited by attackers with read/write access to the host operating system to elevate privileges and obtain root access to the host operating system.

A fourth bug (tracked as CVE-2023-20872) described as “out of bounds read/write vulnerability” in CD/DVD SCSI device emulation affects both Workstation and Fusion products.

This can be exploited by local attackers with access virtual machines with a physical CD/DVD drive attached and configured to use a virtual SCSI controller to obtain code execution on the hypervisor from the virtual machine.

A temporary Workaround CVE-2023-20872 which blocks exploit attempts requires administrators to “remove the CD/DVD device from the virtual machine or configure the virtual machine to NOT use a virtual SCSI controller”.

Last week, VMware also patched a vRealize Log Insight Critical Vulnerability which can allow unauthenticated attackers to achieve remote execution on vulnerable devices.