CVE-2020-3950 VMware Fusion Elevation of Privilege

VMware Fusion 11.5.12 and prior are vulnerable to an elevation of privilege vulnerability. For more details please review the advisory and proof of concept on my Github page CVE-2020-3950.sh. VMware released a the patch last week and a public advisory VMSA-2020-0005 today however it has been determined that the patch does not properly fix the vulnerability. I reached out to the VMware security team and received a response at 10:31 UTC 2020-03-18 – “We are aware of the situation and working on the next steps”.

I also learned today that Jeff Ball at GRIMM also independently discovered and reported the vulnerability to VMware. This is a first for me. Make sure to read their excellent detailed write-up https://blog.grimm-co.com/post/analyzing-suid-binaries/. You can also follow the thread on Twitter.

PoC for CVE-2020-3950 VMware Fusion EoP. https://t.co/F0jGnE9BZu Vendor Advisory: https://t.co/28f3aoAFsG pic.twitter.com/5WYG9xg5cv

— Rich Mirch (@0xm1rch) March 17, 2020

BleepingComputer VMware Fixes High Severity Privilege Escalation Bug in Fusion
ZDNet VMware patches privilege escalation vulnerability in Fusion, Horizon
SecurityWeek VMware Fixes Privilege Escalation Vulnerability in Fusion for Mac
SecurityWeek Patch for Recently Disclosed VMware Fusion Vulnerability Incomplete
SecurityWeek VMware Again Fails to Patch Privilege Escalation Vulnerability in Fusion
Metasploit Module Blown up by your own Fusion bomb

Rich Mirch

Penetration Tester, Red Teamer, Security Researcher