CVE-2023-20854
VMware Workstation Player vulnerability analysis and mitigation

Overview

VMware Workstation version 17.x on Windows contains an arbitrary file deletion vulnerability (CVE-2023-20854) that was privately reported to VMware. The vulnerability was discovered by Frederik Reiter of cirosec GmbH and was disclosed on January 31, 2023. This high-severity vulnerability received a CVSS base score of 7.8 (VMware Advisory).

Technical details

The vulnerability is classified as an arbitrary file deletion flaw that affects VMware Workstation 17.x running on Windows systems. It has been assigned a CVSSv3 base score of 7.8, placing it in the Important severity range. The technical assessment indicates that the vulnerability allows for unauthorized file deletion operations within the system (VMware Advisory, SecurityWeek).

Impact

The vulnerability enables a malicious actor with local user privileges to delete arbitrary files from the file system of the machine where Workstation is installed. According to security researchers, this capability can be leveraged for privilege escalation to System level access (SecurityWeek).

Mitigation and workarounds

VMware has released version 17.0.1 as a fix for this vulnerability. Users are advised to update to this version to remediate the issue. No workarounds are available for this vulnerability, making the update the only viable solution (VMware Advisory).

Community reactions

Cirosec, the security firm that discovered the vulnerability, announced via Twitter that they would be releasing technical details about the vulnerability in the future. The cybersecurity community has classified this as a significant security issue requiring immediate attention (SecurityWeek).

Additional resources


SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management