VMware discloses flaws in Workstation and Fusion Pro products after making them free for personal use

VMware has issued a security advisory detailing critical flaws in its Workstation and Fusion hypervisor products after making them available to individuals for free.

On 14 May, VMware disclosed a series of security vulnerabilities in the two hypervisor solutions, providing workarounds and warning customers to patch their systems as soon as possible.

The first and most serious of these was CVE-2024-22267, a critical use-after-free vulnerability in the products’ vbluetooth device. The flaw has a CVSS rating of 9.3, the company revealed.

VMware warned that a hacker with local administrative privileges on a virtual machine could exploit the flaw to execute code as the virtual machine’s VMX process running on the host.

The second security issue, CVE-2024-22268, is a heap buffer-overflow vulnerability affecting the Shader functionality in Workstation and Fusion, rated 7.1 on the CVSS. 

If exploited correctly, the flaw could give an unauthorized actor with access to a VM with 3D graphics enabled the ability to force the target system into a denial of service (DoS) condition.

Also rated 7.1 on the CVSS, VMware disclosed another high-severity vulnerability – CVE-2024-22269 – which is an information disclosure flaw in the bluetooth device that could allow an attacker with admin privileges on a VM to read sensitive information contained in the hypervisor memory.

Finally, CVE-2024-22270, is another information disclosure vulnerability with a 7.1 CVSS rating that could give attackers access to information in the hypervisor memory, this time in Workstation and Fusion’s host guest file sharing (HGFS) functionality. 

Not the best timing for VMware

The day before it warned customers of the security problems affecting the two hypervisor products, VMware also announced it would be making Workstation Pro and Fusion Pro free for personal use.

Workstation Pro is VMware’s hypervisor solution for Windows and Linux devices, whereas Fusion covers customers using Mac systems.

They allow users to build ‘local virtual’ environments to install a variety of operating systems (OS) to build and test software.

The move has been touted as a gesture of goodwill by Broadcom amidst continued controversy over changes made since its acquisition of the firm last year. 

The acquisition has received stern criticism from various stakeholders due to Broadcom’s decision to overhaul the licensing structure for many of VMware’s most popular products.

Shortly after the acquisition in November 2023, Broadcom wasted no time announcing it would be axing over 50 standalone cloud services from VMware, including its popular Aria SaaS offering.

With its Workstation Pro and Fusion Pro announcement, VMware said the motivation behind the move was to “simplify how we bring VMware Desktop Hypervisor apps to market”, while ensuring both free and paid users received regular support and maintenance.

Enterprise users will find VMware has reduced its product group offerings down to a single stock keeping unit (SKU) for users who need licensing for commercial use. This simplification will eliminate over 40 other SKUs which VMware hopes will make quoting and purchasing their desktop hypervisor apps easier than ever.