A proof-of-concept (PoC) exploit has been released for a critical vulnerability chain in VMware Workstation that allows an attacker to escape from a guest virtual machine and execute arbitrary code on the host operating system.
The exploit successfully chains together an information leak and a stack-based buffer overflow vulnerability to achieve a full guest-to-host escape, one of the most severe types of security flaws in virtualization software.
The exploit targets vulnerabilities that were first demonstrated at the Pwn2Own Vancouver event in 2023. Security researcher Alexander Zaviyalov of NCC Group recently published a detailed technical analysis and a functional PoC, demonstrating the practical risk posed by these flaws.
The Two-Stage Attack
The guest-to-host escape is accomplished by chaining two distinct vulnerabilities found in the virtual Bluetooth device functionality of VMware Workstation. This feature, which is enabled by default, allows a guest VM to use the host’s Bluetooth adapter.
Information Leak (CVE-2023-20870, CVE-2023-34044): The first stage of the attack leverages a Use-After-Free (UAF) memory leak. By sending specifically crafted USB Request Block (URB) control transfers to the virtual mouse and Bluetooth devices, an attacker can leak memory pointers from the vmware-vmx.exe process on the host.
This information leak is crucial for bypassing Address Space Layout Randomization (ASLR), a standard security feature that randomizes memory locations to make exploitation more difficult.
Buffer Overflow (CVE-2023-20869): With ASLR bypassed, the attacker proceeds to the second stage. This involves triggering a stack-based buffer overflow by sending a malicious Service Discovery Protocol (SDP) packet from the guest VM to another Bluetooth device discoverable by the host.
The overflow allows the attacker to hijack the program’s execution flow, and with the previously leaked memory addresses, they can execute a custom payload on the host system.
The combination of these vulnerabilities allows an attacker with control over a guest VM to gain full control of the host machine. In the demonstration, the exploit successfully launched a reverse shell from a Linux guest to a fully patched Windows 11 host, effectively compromising the underlying system, Alexander Zaviyalov said.
The full exploit chain primarily affects VMware Workstation 17.0.1 and earlier versions. The specific vulnerabilities have different patch timelines:
- The stack-based buffer overflow (CVE-2023-20869) was addressed in version 17.0.2.vmware-workstation-guest-to-host-escape.pdf
- The memory leak vulnerabilities (CVE-2023-20870 and CVE-2023-34044) were patched across versions 17.0.2 and 17.5.0, respectively.vmware-workstation-guest-to-host-escape.pdf
Because the complete exploit requires both the buffer overflow and the memory leak, users running version 17.0.1 or older are at the highest risk.
Mitigations
The primary recommendation for all users is to update their VMware Workstation software to the latest available version (17.5.0 or newer), which contains patches for all the discussed vulnerabilities.
For users who cannot immediately update, a potential workaround is to disable the virtual Bluetooth device. This can be done by unchecking the “Share Bluetooth devices with the virtual machine” option in the virtual machine’s USB Controller settings.
Disabling this feature removes the attack surface exploited by this specific PoC. The detailed research highlights the complexity of modern exploits and underscores the importance of timely patching for virtualization platforms.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
