A proof-of-concept (PoC) exploit has been launched for a crucial vulnerability chain in VMware Workstation that enables an attacker to flee from a visitor digital machine and execute arbitrary code on the host working system.
The exploit efficiently chains collectively an data leak and a stack-based buffer overflow vulnerability to realize a full guest-to-host escape, some of the extreme varieties of safety flaws in virtualization software program.
The exploit targets vulnerabilities that had been first demonstrated on the Pwn2Own Vancouver occasion in 2023. Safety researcher Alexander Zaviyalov of NCC Group just lately revealed an in depth technical evaluation and a practical PoC, demonstrating the sensible danger posed by these flaws.
The Two-Stage Assault
The guest-to-host escape is achieved by chaining two distinct vulnerabilities discovered within the digital Bluetooth gadget performance of VMware Workstation. This function, which is enabled by default, permits a visitor VM to make use of the host’s Bluetooth adapter.
Data Leak (CVE-2023-20870, CVE-2023-34044): The primary stage of the assault leverages a Use-After-Free (UAF) reminiscence leak. By sending particularly crafted USB Request Block (URB) management transfers to the digital mouse and Bluetooth units, an attacker can leak reminiscence pointers from the vmware-vmx.exe course of on the host.
This data leak is essential for bypassing Tackle Area Format Randomization (ASLR), a normal safety function that randomizes reminiscence areas to make exploitation harder.
Exploit
Buffer Overflow (CVE-2023-20869): With ASLR bypassed, the attacker proceeds to the second stage. This entails triggering a stack-based buffer overflow by sending a malicious Service Discovery Protocol (SDP) packet from the visitor VM to a different Bluetooth gadget discoverable by the host.
The overflow permits the attacker to hijack this system’s execution circulate, and with the beforehand leaked reminiscence addresses, they will execute a customized payload on the host system.
The mix of those vulnerabilities permits an attacker with management over a visitor VM to realize full management of the host machine. Within the demonstration, the exploit efficiently launched a reverse shell from a Linux visitor to a totally patched Home windows 11 host, successfully compromising the underlying system, Alexander Zaviyalov stated.
The complete exploit chain primarily impacts VMware Workstation 17.0.1 and earlier variations. The precise vulnerabilities have completely different patch timelines:
The stack-based buffer overflow (CVE-2023-20869) was addressed in model 17.0.2.vmware-workstation-guest-to-host-escape.pdf
The reminiscence leak vulnerabilities (CVE-2023-20870 and CVE-2023-34044) had been patched throughout variations 17.0.2 and 17.5.0, respectively.vmware-workstation-guest-to-host-escape.pdf
As a result of the whole exploit requires each the buffer overflow and the reminiscence leak, customers working model 17.0.1 or older are on the highest danger.
Mitigations
The first suggestion for all customers is to replace their VMware Workstation software program to the newest accessible model (17.5.0 or newer), which comprises patches for all of the mentioned vulnerabilities.
For customers who can’t instantly replace, a possible workaround is to disable the digital Bluetooth gadget. This may be completed by unchecking the “Share Bluetooth units with the digital machine” possibility within the digital machine’s USB Controller settings.
Disabling this function removes the assault floor exploited by this particular PoC. The detailed analysis highlights the complexity of recent exploits and underscores the significance of well timed patching for virtualization platforms.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
