CVE-2023-34044: 
NixOS vulnerability analysis and mitigation

CVE-2023-34044 is an out-of-bounds read vulnerability discovered in VMware Workstation (17.x prior to 17.5) and Fusion (13.x prior to 13.5). The vulnerability exists in the functionality for sharing host Bluetooth devices with virtual machines. This issue was identified by Gwangun Jung (@pr0Ln) at THEORI working with Trend Micro Zero Day Initiative and was publicly disclosed in October 2023 (VMware Advisory).

The vulnerability is classified as an out-of-bounds read issue (CWE-125) in the UHCI component, resulting from improper initialization of memory prior to accessing it. The severity is rated as Important with a CVSS v3.1 base score of 7.1 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). This issue exists because Workstation 17.0.2 and Fusion 13.0.2, released on April 25, 2023, did not completely address a previous vulnerability (CVE-2023-20870) (VMware Advisory, ZDI Advisory).

The vulnerability allows attackers to read privileged information contained in hypervisor memory from a virtual machine. This information disclosure could potentially be leveraged in conjunction with other vulnerabilities to execute arbitrary code in the context of the hypervisor (ZDI Advisory).

VMware has released security updates to address this vulnerability. Users should update to Workstation version 17.5 or Fusion version 13.5. A workaround is available in KB91760 for cases where immediate updating is not possible (VMware Advisory).