VMware Workstation update fixes an arbitrary file deletion bug

VMware
addressed
a
high-severity
privilege
escalation
vulnerability,
tracked
as
CVE-2023-20854,
in
VMware
Workstation.

VMware
fixed
a
high-severity
privilege
escalation
flaw,
tracked
as
CVE-2023-20854,
that
impacts
Workstation.

An
attacker
can
exploit
the
vulnerability
to
delete
arbitrary
files
on
Workstation
version
17.x
for
Windows
OS. 

“An arbitrary
file
deletion
vulnerability in
VMware
Workstation was
privately
reported
to
VMware.
Updates
are
available
to
remediate
this
vulnerability
in
the
affected
VMware
product.”
reads
the


advisory
published
by
the
virtualization
giant.

The
issue
was
reported
by
Frederik
Reiter
of
Cirosec
GmbH,
it
has
been
rated
with
a
CVSSv3
base
score
of 7.8.

Cirosec
plans
to
release
technical
details
soon,
meantime,
it
urges
customers
to
patch
their
systems.
The
security
firm
explained
in
a
Tweet
that
the
arbitrary
file
deletion
vulnerability
(CVE-2023-20854)
allows
local
privilege
escalation
to
SYSTEM.

Recently
another
flaw
in
VMware
vRealize
Log
Insight,
tracked
as
CVE-2022-31706
(CVSS
base
9.8/10),
made
the
headlines
after
Horizon3
security
researchers


released
proof-of-concept
(PoC)
code.

The
PoC
exploit
code
will
trigger
a
series
of
flaws
in
vRealize
Log
to
achieve
remote
code
execution
on
vulnerable
installs.

Follow
me
on
Twitter:


@securityaffairs
and


Facebook
and


Mastodon

Pierluigi Paganini

(SecurityAffairs –

hacking,
privilege
escalation)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts