External risk intelligence

VMware Fusion Privilege Escalation Vulnerability

CVE advisoryKnown Exploit

CVE-2020-3950

This vulnerability affects VMware Fusion, Horizon Client for Mac, and VMware Remote Console for Mac, potentially allowing local users to gain root privileges. This poses a business risk by enabling unauthorized system control. A realistic business risk involves an attacker with standard user access escalating their pri

1Halo Surface Signal

Privilege Escalation

Vmware Fusion

11.0.0 to before 11.5.25.0.0 to before 5.4.011.0.0 to before 11.0.1

External exposure likelihood

Halo Surface Signal score for CVE-2020-3950

The vulnerability affects client-side desktop applications (VMware Fusion, Horizon Client, and VMRC for Mac). Exploitation requires local access to the system to escalate privileges, which is not a network-reachable or internet-facing attack surface.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

VMware Fusion, VMware Remote Console for Mac, and Horizon Client for Mac are affected by a privilege escalation vulnerability. This flaw stems from the improper handling of setuid binaries. Successful exploitation could enable an attacker with standard user privileges to gain administrative root access on the affected system.

  • Vulnerable VMware applications
  • Improper use of setuid binaries
  • Attacker gains root access

Attack Path

How an attacker could exploit the issue

VMware Fusion, VMware Remote Console for Mac, and Horizon Client for Mac are susceptible to privilege escalation. Attackers with normal user privileges on an affected system can exploit this vulnerability. Successful exploitation allows an attacker to gain root-level control of the system.

  • Local user access required.
  • Attacker executes a malicious program.
  • Attacker gains root privileges.

Live Threat

Current exploitation, exposure, and threat context

The vulnerability affects VMware Fusion, VMware Remote Console for Mac, and Horizon Client for Mac. Attackers with normal user privileges could potentially escalate their access to root on affected systems. This could lead to a significant compromise of the affected machine.

  • Likely attacker skill level: Moderate.
  • Required access or conditions: Local user access.
  • Business risk or urgency: High.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in VMware Fusion, VMware Remote Console for Mac, and Horizon Client for Mac allows an attacker with normal user privileges to escalate their privileges to root. This could lead to unauthorized access and control over the affected system. The risk is classified as internal, requiring local access for exploitation.

  • Identify affected assets.
  • Isolate or reduce exposure.
  • Apply vendor fix and validate.

Frequently asked questions

What is VMware Fusion and what is it used for?

VMware Fusion is a virtualization software that allows users to run different operating systems, such as Windows or Linux, on their Mac computer. It's used to test software, run applications not native to macOS, or create isolated environments for development.

How does the CVE-2020-3950 vulnerability work?

This vulnerability, classified as improper use of setuid binaries (CWE-269), allows a user with normal privileges on an affected system to gain administrative 'root' access. Essentially, a program with elevated permissions is handled in a way that lets a regular user trick it into doing things only an administrator should be able to do.

What are the conditions needed to exploit CVE-2020-3950?

To exploit this vulnerability, an attacker needs to already have normal user privileges on the system where the vulnerable VMware software is installed. The vulnerability is not triggered by remote access or specific user interactions like opening a file; it requires local access to the machine.

Who should care about this vulnerability based on Halo Surface Signal?

Given that Halo classifies this CVE as internal, organizations should be concerned if they use VMware Fusion, Horizon Client, or Remote Console on Mac devices that are accessed internally by users. Exploitation requires local access, meaning it's not an internet-facing threat but a risk to individual machines within a network.

What is the first step to address this vulnerability?

The immediate first step is to identify which systems are running the affected versions of VMware Fusion, VMware Remote Console for Mac, or Horizon Client for Mac. Once identified, applying the patches or updates provided by VMware is crucial to fix the vulnerability.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified