Local Privilege Escalation Vulnerability for VMware

Risk:
high
Damage:
high
Platform(s):
VMWare Esxi VMWare Horizon VMware Workstation Pro VMware Fusion Pro VMware Remote Console
Advisory ID:
ngCERT-2020-0004
Version:
8.4
CVE:
CVE-2020-3957
Published:
June 16, 2020

Summary


VMware Fusion, VMRC, and Horizon Client contain a local privilege escalation vulnerability due to a Time-of-check Time-of-use (TOC/TOU) issue in the service opener. Furthermore, another local privilege escalation was discovered, which allows the application to blindly executes files from an untrusted location. Both vulnerabilities result in arbitrary code execution as root.

Description & Consequence


Multiple security vulnerabilities in VMware ESXi, Workstation, Fusion, VMRC and Horizon Client were privately reported to VMware. VMware Fusion, VMRC, ESXi, and Horizon Client contain a local privilege escalation vulnerability due to a Time-of-check Time-of-use (TOC/TOU) bug that still makes it possible for an attacker with low permissions to execute arbitrary code with root privileges. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.3.

A Successful exploitation of this vulnerability may allow a local attacker with normal user privileges to escalate their privileges to root on the system where Fusion, ESXi, VMRC and Horizon Client are installed to run command as any user. It may also allow attackers with non-administrative access to a virtual machine to crash the virtual machine's vmx process leading to a denial of service condition.

Solution


Stakeholders may install patches to fixing Fusion Pro, Workstation, Remote Console, and Horizon Client which have been released. VMware attempted to patch the TOCTOU vulnerability in Fusion with the release of version 11.5.5, but patches for VMRC and Horizon Client for Mac are pending. No fixed solution appears to be available for now.

Reference


https://www.vmware.com/security/advisories/VMSA-2020-0011.html

https://www.criticalstart.com/local-privilege-escalation-discovered-in-vmware-fusion/

https://www.vmware.com/security/advisories/VMSA-2020-0013.html

Revision


Related Articles