Shulou(Shulou.com)11/24 Report--

CTOnews.com, April 26, VMWare released a security update today to fix two "critical" zero-day vulnerabilities. These two vulnerabilities are exploited by attackers to allow Workstation and Fusion software to run arbitrary code.

These two zero-day vulnerabilities were discovered by the STAR Labs security team, who publicly demonstrated them at the Pwn2Own Vancouver 2023 hacker contest a month ago.

According to industry rules, security experts have 90 days to fix both vulnerabilities before they are fully disclosed.

Two vulnerability information is attached to CTOnews.com as follows:

The first vulnerability, numbered CVE-2023-20869, exists in Bluetooth device sharing and is a stack-based buffer overflow vulnerability that allows local attackers to execute code while running the virtual machine's VMX process on the host.

The second vulnerability, numbered CVE-2023-20870, also exists in the Bluetooth device function where malicious actors can read privileged information contained in the hypervisor memory from VM.

The STAR Labs security team won a reward of $80000 and eight Master of Pwn points for discovering these two vulnerabilities.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.