VMware has investigated CVE-2023-20872 and has determined that the possibility of exploitation can be removed by performing the steps detailed in the Workaround section of this article.

This workaround is meant to be a temporary solution until updates documented in VMSA-2023-0008 can be deployed.

Resolution is documented in VMSA-2023-0008 

Workaround:
The workaround for CVE-2023-20872 is to remove the CD/DVD device from the virtual machine or configure the virtual machine NOT to use a virtual SCSI controller.

Prerequisites:
Shut down or power off the virtual machine. You cannot change the setting while the virtual machine is powered on or suspended.

1. Remove CD/DVD device from a virtual machine on the impacted products by following the procedure described here:

VMware Workstation:

• To remove hardware from a selected virtual machine, select VM > Settings, click the Hardware tab,
• Select the CD/DVD and click Remove.

VMware Fusion

• Select a virtual machine in the Virtual Machine Library window. Click on "Virtual Machine" menu and click on "Settings".
• Under Removable Devices in the Settings window, select CD/DVD > Advanced Options > Remove CD/DVD Drive.

2. Configure the virtual machine NOT to use a virtual SCSI controller on the impacted products by following the procedure described here:

VMware Workstation:

•  Select VM > Settings, click the Hardware tab, select the CD/DVD > Advanced > CD/DVD Advanced Settings > Virtual device node
•  You can configure the Bus type

VMware Fusion

•  Select a virtual machine in the Virtual Machine Library window. Click on "Virtual Machine" menu and click on "Settings".
• Under Removable Devices in the Settings window, Select CD/DVD > Advanced options > Bus type
• You can configure the Bus type