VMware issued an upgrade to the macOS edition of Fusion to address a privilege escalation flaw for which a rough patch was initially released. However, one of the researchers who find that the fix is already “still bad.” On March 17, VMware informed customers that Fusion, Remote Console (VMRC), and Horizon Application for Mac were affected by a high severity privilege escalation vulnerability known as CVE-2020-3950. The vulnerability, due to inappropriate usage of setuid binarie, enables an intruder with standard user privileges to scale root permissions.
The organization published update 11.5.2 to fix the bug, but the developers cited the VMware security report— Jeffball from GRIMM and Rich Mirch— both noticed that the fix was insufficient.
Researchers made accessible technical information and proof-of-concept (POC) exploit code after VMware released the original patches.
Mirch issued the following vulnerability description:
VMware USB Arbitrator Service and Open VMware Fusion Services are both setuid root binaries located at /Applications/VMware Fusion.app/Contents/Library/services. When executed outside of the standard path the binaries can be tricked into executing a program from a path that the attacker controls. This is achieved by creating a hard link to the original binary. The binaries use part of the attacker-controlled path when executing the service and do not correctly validate that the target binary is legit.
Upon collecting details on the rough patch, VMware revised its advisory with recommendations to avoid misuse and vowed to deliver a full patch with the next Fusion version.
VMware has published 11.5.3, which the organization claims contains a full patch. Mirch told that he didn’t have a chance to test the latest fix, but Jeffball did, so he found that it could be bypassed. The developer claims he’s developed a new PoC hack.
Since VMware released the first fix for CVE-2020-3950, Jeffball said.
“Open VMware Fusion Services binary is fixed, but the Open VMware USB Arbitrator Service binary is not. When running the exploit for Fusion services, it gets a bad code signature error, but the same thing works fine on the USB arbitrator service.”
After VMware’s second patch, the researcher said
“Basically the fix has a TOCTOU [time-of-check time-of-use] issue now since they only check the signature at the start of the binary, and thus an exploit can race the code to swap it after the check.”