VMware fixes three zero-day bugs exploited at Pwn2Own 2024

VMware fixed four security vulnerabilities in the Workstation and Fusion desktop hypervisors, including three zero-days exploited during the Pwn2Own Vancouver 2024 hacking contest.

The most severe flaw patched today is CVE-2024-22267, a use-after-free flaw in the vbluetooth device demoed by the STAR Labs SG and Theori teams.

"A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host," the company explains in a security advisory published on Tuesday.

VMware also provides a temporary workaround for admins who cannot immediately install today's security updates. This workaround requires them to turn off the virtual machine's Bluetooth support by unchecking the 'Share Bluetooth devices with the virtual machine' option.

Two more high-severity security bugs tracked as CVE-2024-22269 and CVE-2024-22270, reported by Theori and STAR Labs SG, are information disclosure vulnerabilities that allow attackers with local admin privileges to read privileged information from a virtual machine's hypervisor memory.

The fourth VMware Workstation and Fusion vulnerability fixed today (tracked as CVE-2024-22268) is caused by a heap buffer overflow weakness in the Shader functionality. A security researcher also reported it through Trend Micro's Zero Day Initiative.

"A malicious actor with non-administrative access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to create a denial of service condition," VMware says.

However, successfully exploiting this security flaw requires 3D graphics to be enabled on the targeted virtual machine.

Pwn2Own Vancouver 2024 results

Security researchers collected $1,132,500 after demoing 29 zero-days (and some bug collisions) at this year's Vancouver hacking competition, with Manfred Paul emerging as the winner and earning $202,500 in cash after taking down the Apple Safari, Google Chrome, and Microsoft Edge web browsers.

During the contest, the STAR Labs SG team earned $30,000 after chaining two VMware Workstation security flaws to gain remote code execution.

Theori security researchers Gwangun Jung and Junoh Lee also went home with $130,000 in cash for escaping a VMware Workstation VM to gain code execution as SYSTEM on the host Windows OS using an exploit chain targeting three vulnerabilities: an uninitialized variable bug, a UAF weakness, and a heap-based buffer overflow.

Google and Mozilla also fixed several zero-days exploited at Pwn2Own Vancouver 2024 within days after the contest ended, with Mozilla releasing patches one day later and Google after just five days.

However, vendors typically take their time to fix security flaws demonstrated at Pwn2Own, as they have 90 days to push patches before Trend Micro's Zero Day Initiative publicly discloses bug details.