May 14, 2024 at 10:48AM
VMware addressed four security vulnerabilities, including three zero-days exploited in the Pwn2Own Vancouver 2024 hacking contest. The most severe flaw, CVE-2024-22267, allows code execution as the virtual machine’s VMX process. Two other high-severity bugs (CVE-2024-22269 and CVE-2024-22270) enable information disclosure, and the fourth vulnerability (CVE-2024-22268) creates a denial of service condition. In the contest, security researchers demonstrated 29 zero-days, earning significant cash prizes.
From the meeting notes, we can gather that VMware has fixed four security vulnerabilities in its Workstation and Fusion desktop hypervisors, including three zero-day vulnerabilities that were exploited during the Pwn2Own Vancouver 2024 hacking contest. The most severe flaw patched is CVE-2024-22267, a use-after-free flaw in the vbluetooth device, which can be exploited by a malicious actor with local administrative privileges to execute code as the virtual machine’s VMX process running on the host.
VMware has also provided a temporary workaround for admins who cannot immediately install the security updates, involving turning off the virtual machine’s Bluetooth support.
Additionally, two more high-severity security bugs (CVE-2024-22269 and CVE-2024-22270) were reported, which allow attackers with local admin privileges to read privileged information from a virtual machine’s memory. The fourth vulnerability (CVE-2024-22268) is a heap buffer overflow weakness in the Shader functionality, which, if exploited, can lead to a denial of service condition on a virtual machine with 3D graphics enabled.
During the Pwn2Own Vancouver 2024 contest, security researchers collected $1,132,500 after demoing 29 zero-days, with the STAR Labs SG team earning $30,000 for chaining two VMware Workstation security flaws to gain remote code execution. Theori security researchers also gained $130,000 in cash for escaping a VMware Workstation VM to gain code execution as SYSTEM on the host Windows OS using an exploit chain targeting three vulnerabilities. Google and Mozilla fixed several zero-days exploited at the contest shortly after it ended.
It’s worth noting that vendors typically have 90 days to push patches before bug details are publicly disclosed by Trend Micro’s Zero Day Initiative.