CVE-2024-22267
📋 TL;DR
CVE-2024-22267 is a use-after-free vulnerability in VMware Workstation and Fusion's vbluetooth device that allows a malicious actor with local administrative privileges on a virtual machine to execute arbitrary code on the host system as the VMX process. This affects all users running vulnerable versions of VMware Workstation and Fusion with virtual machines that have administrative users.
💻 Affected Systems
- VMware Workstation
- VMware Fusion
📦 What is this software?
Fusion by Vmware
⚠️ Risk & Real-World Impact
Worst Case
Full host compromise allowing attacker to execute arbitrary code with VMX process privileges, potentially leading to complete host takeover, data exfiltration, and lateral movement.
Likely Case
Privilege escalation from guest VM to host system, allowing attackers to bypass virtualization isolation and gain foothold on the host environment.
If Mitigated
Limited impact if proper network segmentation, least privilege principles, and host hardening are implemented, though the vulnerability still presents significant risk.
🎯 Exploit Status
Exploitation requires local administrative access to a virtual machine and knowledge of the vulnerability. The use-after-free condition must be triggered through specific vbluetooth operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: VMware Workstation 17.5.2 and VMware Fusion 13.5.2
Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280
Restart Required: Yes
Instructions:
1. Download the latest version from VMware's official website. 2. Run the installer and follow the upgrade process. 3. Restart the host system after installation completes. 4. Verify the update was successful by checking the version number.
🔧 Temporary Workarounds
Disable vbluetooth device
allRemove or disable the vbluetooth virtual device from virtual machine configurations to eliminate the attack vector.
Edit VMX configuration file and remove or comment out: 'vbluetooth.present = "TRUE"'
In VMware GUI: VM Settings > Remove Bluetooth device
Restrict VM administrative access
allImplement strict access controls and least privilege principles for virtual machine administrative accounts.
🧯 If You Can't Patch
- Disable vbluetooth device on all virtual machines immediately
- Implement network segmentation to isolate vulnerable VMs from critical systems
- Monitor for suspicious activity from VMs with administrative users
- Consider migrating critical workloads to patched systems or alternative virtualization platforms
🔍 How to Verify
Check if Vulnerable:
Check VMware version: For Workstation: Help > About VMware Workstation. For Fusion: VMware Fusion > About VMware Fusion. If version is below 17.5.2 (Workstation) or 13.5.2 (Fusion), the system is vulnerable.Check Version:
Windows: 'vmware -v' in command prompt. Linux: 'vmware --version' in terminal. macOS: Check 'About VMware Fusion' in application menu.Verify Fix Applied:
After patching, verify version is 17.5.2 or higher for Workstation, or 13.5.2 or higher for Fusion. Also check that vbluetooth device is either removed or the vulnerability is patched.📡 Detection & Monitoring
Log Indicators:
- Unusual vbluetooth device activity in VM logs
- VMX process crashes or unexpected behavior
- Suspicious process creation from VMX process on host
Network Indicators:
- Unusual network connections originating from host VMX process
- Unexpected outbound connections from virtualization host
SIEM Query:
Process creation where parent process is 'vmware-vmx.exe' OR 'vmware-vmx' AND command line contains unusual parameters OR destination IP is suspicious