VMware Patches Trio of Zero-Day Vulnerabilities Exposed at Pwn2Own 2024

May 14, 2024

VMware has issued patches for four security vulnerabilities in its Workstation and Fusion desktop hypervisors, three of which were zero-day vulnerabilities revealed during the Pwn2Own Vancouver 2024 hacking contest. The most critical bug addressed, designated as CVE-2024-22267, is a use-after-free flaw in the vbluetooth device, as demonstrated by the STAR Labs SG and Theori teams. According to the security advisory released by VMware, "A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host." VMware also offered a temporary workaround for administrators who are unable to immediately apply the security updates. This workaround involves disabling the virtual machine's Bluetooth support.

Two additional high-severity security bugs, CVE-2024-22269 and CVE-2024-22270, were reported by Theori and STAR Labs SG. These are information disclosure vulnerabilities that allow attackers with local admin privileges to read privileged information from a virtual machine's hypervisor memory. The fourth vulnerability fixed in the VMware Workstation and Fusion (CVE-2024-22268) is due to a heap buffer overflow weakness in the Shader functionality. It was reported by a security researcher through Trend Micro's Zero Day Initiative. VMware states that "A malicious actor with non-administrative access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to create a denial of service condition." However, successful exploitation of this security flaw necessitates the activation of 3D graphics on the targeted virtual machine.

The Pwn2Own Vancouver 2024 hacking contest saw security researchers demonstrate 29 zero-days, earning a total of $1,132,500. Manfred Paul emerged as the winner, earning $202,500 for successfully hacking the Apple Safari, Google Chrome, and Microsoft Edge web browsers. The STAR Labs SG team earned $30,000 for chaining two VMware Workstation security flaws to achieve remote code execution. Theori security researchers Gwangun Jung and Junoh Lee earned $130,000 for escaping a VMware Workstation VM to gain code execution as SYSTEM on the host Windows OS using an exploit chain targeting three vulnerabilities.

Following the contest, Google and Mozilla quickly patched several zero-days that were exploited, with Mozilla releasing patches just one day later and Google within five days. However, vendors typically take their time to fix security flaws demonstrated at Pwn2Own, as they have 90 days to release patches before Trend Micro's Zero Day Initiative publicly discloses the bug details.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.