VMware has released patches for Workstation and Fusion products towards the vulnerabilities exploited earlier this year at the Pwn2Own hacking competition.
Three of the vulnerabilities were reported at the Pwn2Own Vancouver 2024 competition. The fourth flaw was reported to VMware outside of the hacking competition.
The first critical vulnerability, tracked as CVE-2024-22267, described as a use-after-free in the vbluetooth component that allows a local attacker with administrative privileges on a virtual machine to execute arbitrary code as the VM’s VMX process running on the host.
A second is a high vulnerability in the vbluetooth component, tracked as CVE-2024-22269, can be exploited by a local attacker with admin privileges on a VM to read privileged information from the hypervisor memory.
The third is a high severity vulnerability, an information disclosure issue related to the Host Guest File Sharing (HGFS) functionality, tracked as CVE-2024-22270, allows a malicious actor with local administrative privileges on a VM to read privileged information contained in hypervisor memory.
