Summary: A critical stack-based buffer-overflow vulnerability has been discovered in VMware Workstation (17.x) and VMware Fusion (13.x) products. This vulnerability exists in the functionality for sharing host Bluetooth devices with the virtual machine (VM). It can potentially allow an attacker to execute arbitrary code on the host machine or cause a denial of service by crashing the virtual machine.
Introduction: Stack-based buffer-overflow vulnerabilities occur when data is written past the allocated buffer boundary in stack memory. This can cause critical application or system crashes and may allow an attacker to gain control of the machine by executing arbitrary code. In the case of CVE-2023-20869, this vulnerability impacts the sharing of host Bluetooth devices with VMs in VMware Workstation and VMware Fusion products.
Vulnerable versions
- VMware Workstation Pro/Player (17.x)
- VMware Fusion Pro/Player (13.x)
Exploit details: The vulnerability exists in the process of sharing host Bluetooth devices to the virtual machine by the VMware Workstation and Fusion products. When a specially crafted request is sent to the Bluetooth sharing functionality in these products, it can trigger a stack-based buffer-overflow and result in arbitrary code execution or a crash of the virtual machine.
Code snippet
A simplified sample of the affected code in the Bluetooth device sharing functionality is shown below:
#include<stdlib.h>
#include<stdio.h>
#include<string.h>
void vulnerable_function(char *input) {
// Buffer size is not checked before passing input
char buffer[128];
strcpy(buffer, input);
}
int main(int argc, char *argv[]) {
// Receive input from user or malicious source
char *input = argv[1];
// Call the vulnerable function with user-supplied input
vulnerable_function(input);
return ;
}
This example demonstrates the root cause of the vulnerability: unbounded copying of input data to a fixed-size buffer without proper bounds checking.
Original references
- VMware Security Advisory VMSA-2023-0025
- CVE-2023-20869 at MITRE
- CVE-2023-20869 at NVD
Mitigation and patches
VMware has released patches for VMware Workstation 17.x and VMware Fusion 13.x to mitigate this vulnerability:
- VMware Workstation 17.x Patch Download
- VMware Fusion 13.x Patch Download
If you are unable to apply patches, the following two workarounds can be used to reduce the risk of exploitation:
Disable the Bluetooth sharing functionality in the affected products if it is not required.
2. Restrict access to the host machine and the virtual machine environment by implementing proper network segregation and access controls.
Conclusion: It is highly recommended that users of VMware Workstation 17.x and VMware Fusion 13.x products update to the latest patched versions as soon as possible to protect against the stack-based buffer-overflow vulnerability (CVE-2023-20869) impacting the Bluetooth device sharing functionality in these products. This will prevent potential exploitation by an attacker to execute arbitrary code on the host machine or cause a denial of service by crashing the virtual machine.
Timeline
Published on: 04/25/2023 22:15:00 UTC
Last modified on: 05/04/2023 20:19:00 UTC