HackDig : Dig high-quality web security articles

«No Previous
No Next

VMware addresses Fusion flaw introduced in the attempt to fix CVE-2020-3950 issue

2020-06-01 11:13

VMware has released an update to address a privilege escalation flaw in VMware for the macOS version of Fusion that was introduced by a previous patch.

In March, VMware patched a high-severity privilege escalation vulnerability (CVE-2020-3950) in Fusion, Remote Console (VMRC) and Horizon Client for Mac.

The CVE-2020-3950 is a privilege escalation vulnerability caused by the improper use of setuid binaries, it could be exploited by attackers to escalate privileges to root.

The flaw was reported by Jeffball of GRIMM and Rich Mirch, VMware assigned it a CVSSv3 base score of 7.3 and rated it as Important severity. The issue impacts Fusion (11.x before 11.5.2), Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) macOS apps.

Mirch and Jeffball, immediately noted that the patch issued by VMware was incomplete, VMware confirmed it a few days later and released a new patch at the end of March. Unfortunately the new fix introduced a new security issue.

The vulnerability introduced by the second patch, tracked as CVE-2020-3957, is a time-of-check time-of-use (TOCTOU) issue that could allow attackers with low permissions to execute arbitrary code with root privileges.

Last week, the company releases version 11.5.5, but the issue for VMRC and Horizon Client for Mac are yet to be approved.

Pierluigi Paganini

(SecurityAffairs – Fusion, cybersecurity)

The post VMware addresses Fusion flaw introduced in the attempt to fix CVE-2020-3950 issue appeared first on Security Affairs.


Source: ;830#&ssr=ecruos_mtu?lmth.0593-0202-walf-erawmv/ytiruces/921401/sserpdrow/oc.sriaffaytiruces

Read:2525 | Comments:0 | Tags:Breaking News Security CVE-2020-3950 Hacking IT Pierluigi Pa

“VMware addresses Fusion flaw introduced in the attempt to fix CVE-2020-3950 issue”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)
Tell me why you support me <3