ngCERT VMware Tools vulnerability

Risk:
high
Damage:
high
Platform(s):
Microsoft® Windows 10
Advisory ID:
ngCERT-2020-0003
Version:
1.0
CVE:
NIL
Published:
January 16, 2020

Summary


A vulnerability in VMware Tools is a functionality that was removed from VMware Tools 11.0.0 and it has been determined to affect VMware Tools for Windows version 10.x.y.

Description & Consequence


The issue, classified as a race condition flaw that could be exploited by an attacker to access the guest virtual machine to escalate privileges.

A malicious actor with man-in-the-middle (MITM) network positioning between an affected mobile application and Workspace ONE UEM Device Services
may be able to capture sensitive data in transit if SSL Pinning is enabled.
 Also malicious actor on the guest VM might exploit the race condition and
escalate their privileges on a Windows VM.

Solution


To remediate this issue, it is recommended to upgrade VMware Tools to 11.0.0. 

However, if upgrading is not possible, exploitation of this issue can be prevented by correcting the ACLs on C:\ProgramData\VMware\VMware CAF directory in the Windows guests running VMware Tools 10.x.y versions. In order to correct ACLs for this directory, remove all write access permissions for Standard User from the directory. 

To correct ACLs for this directory: 

1, Disable inheritance, remove all inherited permissions, grant “Full control” to local System account and Administrators group

2, Correct the ACL from the Windows UI via Properties of the directory 

Reference


  1. https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/VMware-Workspace-ONE-SDK-for-Android.html
  2. https://securityaffairs.co/wordpress/96446/security/vmware-tools-and-workspace-one-sdk-flaws.html

Revision


Related Articles