Security News > 2020 > March > VMware Again Fails to Patch Privilege Escalation Vulnerability in Fusion
VMware has released an update for the macOS version of Fusion to fix a privilege escalation vulnerability for which it initially released an incomplete patch.
VMware told customers on March 17 that Fusion, Remote Console and Horizon Client for Mac are impacted by a high-severity privilege escalation vulnerability tracked as CVE-2020-3950.
The company released version 11.5.2 to patch the vulnerability, but the researchers credited for reporting the vulnerability to VMware - Jeffball from cybersecurity firm GRIMM and Rich Mirch - both found that the patch was incomplete.
Mirch provided the following description for the vulnerability: VMware USB Arbitrator Service and Open VMware Fusion Services are both setuid root binaries located at /Applications/VMware Fusion.
After VMware released its first patch for CVE-2020-3950, Jeffball told SecurityWeek that the "Open VMware Fusion Services binary is fixed, but the Open VMware USB Arbitrator Service binary is not. When running the exploit for Fusion services, it gets a bad code signature error, but the same thing works fine on the USB arbitrator service."
News URL
Related news
- CISA Urges Federal Agencies to Patch Versa Director Vulnerability by September (source)
- SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access (source)
- Fortra Issues Patch for High-Risk FileCatalyst Workflow Security Vulnerability (source)
- Week in review: Vulnerability allows Yubico security keys cloning, Patch Tuesday forecast (source)
- Progress Software Issues Patch for Vulnerability in LoadMaster and MT Hypervisor (source)
- SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks (source)
- Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-03-17 | CVE-2020-3950 | Improper Privilege Management vulnerability in VMWare Fusion, Horizon Client and Remote Console VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) contain a privilege escalation vulnerability due to improper use of setuid binaries. | 7.2 |