Update April 25, 2023
Today VMware has released the following new security advisory:
VMSA-2023-0008 – VMware Workstation and Fusion updates address multiple security vulnerabilities (CVE-2023-20869, CVE-2023-20870, CVE-2023-20871, CVE-2023-20872)
The advisory documents the remediation of the Critical and Important severity vulnerabilities demonstrated at the Pwn2Own 2023 contest (CVE-2023-20869, CVE-2023-20870). Customers should review the security advisory and direct any questions to VMware Support.
Update March 23, 2023
Pwn2Own 2023 has wrapped up after a very eventful week. On the final day of the contest, STAR Labs team demonstrated an issue on VMware Workstation. We are currently investigating the issue after having received the details. We are actively working on its remediation and we plan on publishing a VMware Security Advisory to provide information on updates for affected products.
We would like to thank Zero Day Initiative (ZDI) for allowing us to participate and the STAR Labs team for working with us to address this issue.
Original Post
Greetings from VMware Security Response Center!!
We’re excited to announce that VMware will be returning to Pwn2Own 2023 hosted on March 22nd – 24th, in Vancouver, Canada. VMware will have the opportunity to attend in-person to validate any demonstrations of a VMescape.
Similar to last year, we will have two of our Hypervisors, VMware ESXi – Type 1 and VMware Workstation – Type 2 as targets in the virtualization category with prize money of $150,000 and $80,000 respectively. There is an add-on bonus in this category applicable to Workstation. If a contestant can escape the guest OS, then escalate privileges on the host OS through a Windows kernel vulnerability, they can earn an additional bounty.
Hacking contests like this are an excellent opportunity for us to meet and collaborate with the security research community. Over the years, we have seen some high-quality research demonstrated by highly skilled security researchers. To extend our support to the contest and the security research community, we are happy to inform you that this year also VMware returns as a Pwn2Own sponsor. If you are attending Pwn2Own, then come and say ‘Hi’ to us. We will be happy to meet you.
We would like to thank Zero Day Initiative (ZDI) for allowing us to participate in the upcoming event.
Stay tuned! This post will be updated with more information as they become available.
If you would like to be kept informed on VMware Security Advisories (VMSAs) please sign up here for new and updated information.