Security News VMware fixes three zero-day bugs exploited at Pwn2Own 2024


Level 26
Thread author
Aug 17, 2017
VMware fixed four security vulnerabilities in the Workstation and Fusion desktop hypervisors, including three zero-days exploited during the Pwn2Own Vancouver 2024 hacking contest. The most severe flaw patched today is CVE-2024-22267, a use-after-free flaw in the vbluetooth device demoed by the STAR Labs SG and Theori teams.

"A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host," the company explains in a security advisory published on Tuesday.

VMware also provides a temporary workaround for admins who cannot immediately install today's security updates. This workaround requires them to turn off the virtual machine's Bluetooth support by unchecking the 'Share Bluetooth devices with the virtual machine' option.

Two more high-severity security bugs tracked as CVE-2024-22269 and CVE-2024-22270, reported by Theori and STAR Labs SG, are information disclosure vulnerabilities that allow attackers with local admin privileges to read privileged information from a virtual machine's hypervisor memory.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.