VMware Released an Update for macOS to Fix a Privilege Escalation Vulnerability

Adobe Patches

VMware issued an upgrade to the macOS edition of Fusion to address a privilege escalation flaw for which a rough patch was initially released. However, one of the researchers who find that the fix is already “still bad.” On March 17, VMware informed customers that Fusion, Remote Console (VMRC), and Horizon Application for Mac were affected by a high severity privilege escalation vulnerability known as CVE-2020-3950. The vulnerability, due to inappropriate usage of setuid binarie, enables an intruder with standard user privileges to scale root permissions.

The organization published update 11.5.2 to fix the bug, but the developers cited the VMware security report— Jeffball from GRIMM and Rich Mirch— both noticed that the fix was insufficient.

Researchers made accessible technical information and proof-of-concept (POC) exploit code after VMware released the original patches.

Mirch issued the following vulnerability description:

VMware USB Arbitrator Service and Open VMware Fusion Services are both setuid root binaries located at /Applications/VMware Fusion.app/Contents/Library/services. When executed outside of the standard path the binaries can be tricked into executing a program from a path that the attacker controls. This is achieved by creating a hard link to the original binary. The binaries use part of the attacker-controlled path when executing the service and do not correctly validate that the target binary is legit.

Upon collecting details on the rough patch, VMware revised its advisory with recommendations to avoid misuse and vowed to deliver a full patch with the next Fusion version.

Page Cache Attacks Raises Captured Crypto Risk

VMware has published 11.5.3, which the organization claims contains a full patch. Mirch told that he didn’t have a chance to test the latest fix, but Jeffball did, so he found that it could be bypassed. The developer claims he’s developed a new PoC hack.

Since VMware released the first fix for CVE-2020-3950, Jeffball said.

“Open VMware Fusion Services binary is fixed, but the Open VMware USB Arbitrator Service binary is not. When running the exploit for Fusion services, it gets a bad code signature error, but the same thing works fine on the USB arbitrator service.”

After VMware’s second patch, the researcher said

Get into the Cyber Security Career now!


“Basically the fix has a TOCTOU [time-of-check time-of-use] issue now since they only check the signature at the start of the binary, and thus an exploit can race the code to swap it after the check.”

Leave a Reply
Previous Post
Cybersecurity Methods to Use

The Reality and Predictions of Cybercrime In 2022

Next Post

General Electric (GE) Personal Information of Some Employees Hit by Data Breach at Canon

Related Posts