Login Sign Up

CVE-2018-6964

7.8 HIGH

📋 TL;DR

This CVE describes a local privilege escalation vulnerability in VMware Horizon Client for Linux. Unprivileged users can exploit insecure SUID binary usage to gain root privileges on affected systems. Only Linux systems running vulnerable versions of Horizon Client are affected.

💻 Affected Systems

Products:
  • VMware Horizon Client for Linux
Versions: 4.x before 4.8.0
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Linux installations of Horizon Client. Windows and macOS versions are not vulnerable.

📦 What is this software?

Horizon Client by Vmware

View all CVEs affecting Horizon Client →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access gains full root privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement.

🟠

Likely Case

Malicious insider or compromised user account escalates to root, potentially accessing sensitive data or installing malware.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to isolated client systems without critical data.

🌐 Internet-Facing: LOW
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access to the system. SUID binary vulnerabilities are commonly exploited.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.8.0 or later

Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2018-0014.html

Restart Required: No

Instructions:

1. Download VMware Horizon Client 4.8.0 or later from VMware website. 2. Uninstall current version. 3. Install updated version. 4. Verify installation.

🔧 Temporary Workarounds

Remove SUID bit from vulnerable binary

linux

Temporarily remove SUID permissions from the vulnerable binary to prevent privilege escalation

sudo chmod u-s /path/to/horizon/binary

Restrict access to Horizon Client

linux

Limit which users can execute Horizon Client to reduce attack surface

sudo chmod 750 /opt/vmware/horizon-client/
sudo chown root:trustedusers /opt/vmware/horizon-client/

🧯 If You Can't Patch

  • Implement strict access controls to limit who can use Horizon Client
  • Monitor for privilege escalation attempts and unusual root activity

🔍 How to Verify

Check if Vulnerable:

Check Horizon Client version: dpkg -l | grep horizon-client or rpm -qa | grep horizon-client. If version is 4.x and less than 4.8.0, system is vulnerable.

Check Version:

horizon-client --version 2>/dev/null || dpkg -l | grep horizon-client || rpm -qa | grep horizon-client

Verify Fix Applied:

Verify installed version is 4.8.0 or higher using version check command.

📡 Detection & Monitoring

Log Indicators:

  • Sudden privilege escalation events
  • Unusual SUID binary execution
  • Failed sudo attempts followed by successful Horizon Client execution

Network Indicators:

  • None - this is a local privilege escalation

SIEM Query:

source="linux_audit" AND (event_type="EXECVE" AND path="/opt/vmware/horizon-client/*" AND uid_change) OR (event_type="SYSCALL" AND success="yes" AND exe="/opt/vmware/horizon-client/*" AND uid!=euid)

📊 Metadata

CVE ID: CVE-2018-6964
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: May 29, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON