VMware Patches Trio of Zero-Day Vulnerabilities Exposed at Pwn2Own 2024

May 14, 2024

VMware has issued patches for four security vulnerabilities in its Workstation and Fusion desktop hypervisors, three of which were zero-day vulnerabilities revealed during the Pwn2Own Vancouver 2024 hacking contest. The most critical bug addressed, designated as CVE-2024-22267, is a use-after-free flaw in the vbluetooth device, as demonstrated by the STAR Labs SG and Theori teams. According to the security advisory released by VMware, "A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host." VMware also offered a temporary workaround for administrators who are unable to immediately apply the security updates. This workaround involves disabling the virtual machine's Bluetooth support.

Two additional high-severity security bugs, CVE-2024-22269 and CVE-2024-22270, were reported by Theori and STAR Labs SG. These are information disclosure vulnerabilities that allow attackers with local admin privileges to read privileged information from a virtual machine's hypervisor memory. The fourth vulnerability fixed in the VMware Workstation and Fusion (CVE-2024-22268) is due to a heap buffer overflow weakness in the Shader functionality. It was reported by a security researcher through Trend Micro's Zero Day Initiative. VMware states that "A malicious actor with non-administrative access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to create a denial of service condition." However, successful exploitation of this security flaw necessitates the activation of 3D graphics on the targeted virtual machine.

The Pwn2Own Vancouver 2024 hacking contest saw security researchers demonstrate 29 zero-days, earning a total of $1,132,500. Manfred Paul emerged as the winner, earning $202,500 for successfully hacking the Apple Safari, Google Chrome, and Microsoft Edge web browsers. The STAR Labs SG team earned $30,000 for chaining two VMware Workstation security flaws to achieve remote code execution. Theori security researchers Gwangun Jung and Junoh Lee earned $130,000 for escaping a VMware Workstation VM to gain code execution as SYSTEM on the host Windows OS using an exploit chain targeting three vulnerabilities.

Following the contest, Google and Mozilla quickly patched several zero-days that were exploited, with Mozilla releasing patches just one day later and Google within five days. However, vendors typically take their time to fix security flaws demonstrated at Pwn2Own, as they have 90 days to release patches before Trend Micro's Zero Day Initiative publicly discloses the bug details.

Latest News

• Apple Patches Safari WebKit Zero-Day Exploit Uncovered at Pwn2Own
• Apple Backports Security Patches to Older iPhones and iPads Amid Active Exploitation of Zero-Day
• Cybercriminals Target Outdated LiteSpeed Cache Plugin to Gain Control of WordPress Sites
• China-Linked Cyber Espionage Targets MITRE Network: ROOTROT Webshell Exploited
• Citrix Resolves High-Risk Flaw in NetScaler Servers Similar to Past CitrixBleed Vulnerability