VMware fixed four security vulnerabilities in the Workstation and Fusion desktop hypervisors, including three zero-days exploited during the Pwn2Own Vancouver 2024 hacking contest.
The most severe flaw patched today is CVE-2024-22267, a use-after-free flaw in the vbluetooth device demoed by the STAR Labs SG and Theori teams.
VMware also provides a temporary workaround for admins who cannot immediately install today's security updates.
This workaround requires them to turn off the virtual machine's Bluetooth support by unchecking the 'Share Bluetooth devices with the virtual machine' option.
Two more high-severity security bugs tracked as CVE-2024-22269 and CVE-2024-22270, reported by Theori and STAR Labs SG, are information disclosure vulnerabilities that allow attackers with local admin privileges to read privileged information from a virtual machine's hypervisor memory.
The fourth VMware Workstation and Fusion vulnerability fixed today is caused by a heap buffer overflow weakness in the Shader functionality.
A security researcher also reported it through Trend Micro's Zero Day Initiative.
Successfully exploiting this security flaw requires 3D graphics to be enabled on the targeted virtual machine.
Security researchers collected $1,132,500 after demoing 29 zero-days at this year's Vancouver hacking competition, while Manfred Paul emerged as the winner with $202,500 in cash after taking down the Apple Safari, Google Chrome, and Microsoft Edge web browsers.
During the contest, the STAR Labs SG team earned $30,000 after chaining two VMware Workstation security flaws to gain remote code execution.
Theori security researchers Gwangun Jung and Junoh Lee also went home with $130,000 in cash for escaping a VMware Workstation VM to gain code execution as SYSTEM on the host Windows OS using an exploit chain targeting three vulnerabilities: an uninitialized variable bug, a UAF weakness, and a heap-based buffer overflow.
Google and Mozilla also fixed several zero-days exploited at Pwn2Own Vancouver 2024 within days after the contest ended, with Mozilla releasing patches one day later and Google after just five days.
Vendors typically take their time to fix security flaws demonstrated at Pwn2Own, as they have 90 days to push patches before Trend Micro's Zero Day Initiative publicly discloses bug details.
Google fixes Chrome zero-days exploited at Pwn2Own 2024.
Mozilla fixes two Firefox zero-day bugs exploited at Pwn2Own.
Hackers earn $1,132,500 for 29 zero-days at Pwn2Own Vancouver.
Google Chrome emergency update fixes 6th zero-day exploited in 2024.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 14 May 2024 14:50:14 +0000