Security news that informs and inspires

VMware Patches Critical Flaw That Allows Guest Escape


There is a critical vulnerability in VMware’s core Workstation and Fusion products that an attacker could use to gain code execution from the guest to the host.

The vulnerability (CVE-2020-3947) affects version 15.x of VMware Workstation running on any of the supported platforms, as well as Fusion version 11.x on OS X. VMware released patches for the vulnerability this week and customers running vulnerable versions should update as soon as possible now that information about the flaw is public.

“VMware Workstation and Fusion contain a use-after vulnerability in vmnetdhcp. Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service condition of the vmnetdhcp service running on the host machine,” the VMware advisory says.

The patched versions of Workstation and Fusion are 15.5.2 and 11.5.2, respectively. There are no known workarounds for this flaw.

VMware also fixed two lower-severity vulnerabilities, both privilege escalation bugs, but in different products. One of the vulnerabilities affects the same versions of Workstation and Fusion as the use-after-free weakness, and is only exploitable if virtual printing is enabled, which is not the default setting.

“Linux Guest VMs running on VMware Workstation and Fusion contain a local privilege escalation vulnerability due to improper file permissions in Cortado Thinprint. Exploitation is only possible if virtual printing is enabled in the Guest VM. Virtual printing is not enabled by default on Workstation and Fusion,” the advisory says.

“Local attackers with non-administrative access to a Linux guest VM with virtual printing enabled may exploit this issue to elevate their privileges to root on the same guest VM.”

The second vulnerability affects the Horizon Client, VMRC, and Workstation, all running on Windows.

“For VMware Horizon Client for Windows, VMRC for Windows and Workstation for Windows the folder containing configuration files for the VMware USB arbitration service was found to be writable by all users,” the advisory says.

“A local user on the system where the software is installed may exploit this issue to run commands as any user.”