1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • VMware patches serious security flaws in some of its top products

    From TechnologyDaily@1337:1/100 to All on Wed May 15 17:00:05 2024
    VMware patches serious security flaws in some of its top products

    Date:
    Wed, 15 May 2024 16:45:01 +0000

    Description:
    Fixes for Workstation and Fusion look to prevent hackers from mounting denial-of-service attacks.

    FULL STORY ======================================================================

    VMware has released patches for four vulnerabilities affecting two of its products.

    The vulnerabilities could be used by malicious actors to steal sensitive information from flawed endpoints, but also to mount denial-of-service (DoS) attacks, and run malicious code.

    The vulnerable products are Workstation and Fusion, versions 17.x and 13.x respectively. The earliest fixed versions are 17.5.2 for Workstation, and 13.5.2 for Fusion. Chinese abuse

    The vulnerabilities are tracked as CVE-2024-22267 (severity score 9.3, a use-after-free flaw in Bluetooth), CVE-2024-22268 (severity score 7.1, heap buffer-overflow bug in Shader), CVE-2024-22269 (severity score 7.1, an information disclosure flaw in Bluetooth), and CVE-2024-22270 (severity score 7.1, an information disclosure bug in Host Guest File Sharing).

    Due to VMwares gear being quite popular, it is often targeted by hackers, which is why all users are advised to apply the patches as soon as possible. Those that cannot apply the patch immediately should deploy a workaround, by turning off Bluetooth support on the virtual machine, as well as by disabling 3D acceleration. While these mitigations can help with the majority of the flaws, there is no other fix for CVE-2024-22270 other than the patch.

    Earlier this year, it was reported that Chinese state-sponsored hackers known as UNC3886 were abusing a zero-day vulnerability in VMware devices for years.

    A report from Mandiant claimed the group used the flaw to deploy malware , steal credentials, and ultimately exfiltrate sensitive data. The patch for
    the flaw was released in late October 2023. Two months ago, VMware patched
    two critical vulnerabilities in its ESXi, Workstation, and Fusion products.

    These vulnerabilities, however, were first reported to VMware by Gwangun Jung & Junoh Lee of Theori and STAR Labs SG, during the Pwn2Own 2024 Security Contest, the company acknowledged.

    Via The Hacker News More from TechRadar Pro Chinese hackers quietly
    exploited a VMware zero-day for two years Here's a list of the best firewalls around today These are the best endpoint security tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/vmware-patches-serious-security-flaws-i n-some-of-its-top-products


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)