Pwn2Own vulnerabilities Apple and VMware
Pwn2Own vulnerabilities Apple and VMware
VMWare released security updates for four security vulnerabilities. Apple has also patched a zero day vulnerability in their Safari web browser. The vulnerabilities were exploited on the Pwn2Own hacking contest.
VMware summary:
CVE-2024-22267, 9.3 (Critical) CVSS 3.0: this was founded by STAR Labs SG and Theori teams. VMware states: “A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.”
CVE-2024-22269, 7.1 (High) CVSS3.0: “A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.”
CVE-2024-22270, 7.1 (High) CVSS3.0: “A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.”
Affected products VMware
- VMware workstation 17.X
- VMware fusion 13.X
Security Recommendations VMware
VMware has released version Workstation 17.5.2 and Fusion 13.5.2 to fix these vulnerabilities. For CVE-2024-22267 workaround KB91760 is provided, for CVE-2024-22268 workaround KB59146 and for CVE-2024-22269 workaround KB91760. For CVE-2024-22270 no workaround is provided only applying the new version allows the vulnerability to be patched.
Apple summary:
CVE-2024-27834, 9.1 (Critical) CVSS3.0: “An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication,” Pointer authentication codes is used in the arm64e architecture, the purpose of which is to detected unexpected changes to pointers within memory. These unexpected pointer changes will causes app crashes resulting in memory corruption linked to authentication failures.
Affected products Apple:
- iOS >17.5
- iPadOS >17.5
- tvOS >17.5
- Safari >17.5
- watchOS >10.5
- macOS >14.5
Security Recommendations Apple
Apple has released updates for their OS system in the following versions:
- iOS 17.5
- iPadOS 17.5
- tvOS 17.5
- Safari 17.5
- watchOS 10.5
- macOS 14.5