CVE-2020-3950
📋 TL;DR
This CVE describes a privilege escalation vulnerability in VMware products for macOS where improper use of setuid binaries allows local attackers with normal user privileges to gain root access. Affected users include anyone running vulnerable versions of VMware Fusion, VMware Remote Console for Mac, or Horizon Client for Mac on macOS systems.
💻 Affected Systems
- VMware Fusion
- VMware Remote Console for Mac
- Horizon Client for Mac
📦 What is this software?
Fusion by Vmware
⚠️ Risk & Real-World Impact
Worst Case
Attackers with local access can gain full root privileges on the macOS system, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement.
Likely Case
Malicious insiders or attackers who have gained initial access through other means escalate privileges to install malware, steal sensitive data, or maintain persistence.
If Mitigated
With proper patching and least privilege principles, impact is limited to denial of service or limited data access depending on initial access level.
🎯 Exploit Status
Multiple public exploit details available. Requires local user access but exploitation is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: VMware Fusion 11.5.2, VMRC for Mac 11.0.1, Horizon Client for Mac 5.4.0
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2020-0005.html
Restart Required: Yes
Instructions:
1. Download latest version from VMware website. 2. Install update. 3. Restart system. 4. Verify installation via About dialog.
🔧 Temporary Workarounds
Remove setuid permissions from vulnerable binaries
allManually remove setuid bit from affected binaries to prevent privilege escalation
sudo chmod u-s /path/to/vulnerable/binary
Restrict user access to vulnerable systems
allLimit which users have access to systems running vulnerable VMware products
🧯 If You Can't Patch
- Remove or disable vulnerable VMware products from production systems
- Implement strict access controls and monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check VMware product version via About dialog or command line: /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ USB\ Arbitrator ServiceCheck Version:
For Fusion: /Applications/VMware\ Fusion.app/Contents/Info.plist | grep -A1 CFBundleShortVersionStringVerify Fix Applied:
Verify installed version is 11.5.2 or later for Fusion, 11.0.1 or later for VMRC, 5.4.0 or later for Horizon Client📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events
- Setuid binary execution from non-standard users
- Process execution with root privileges from user accounts
Network Indicators:
- None - local exploit only
SIEM Query:
process.name:"VMware USB Arbitrator" AND user.name:!"root" AND process.privileges:"setuid"🔗 References
- http://packetstormsecurity.com/files/156843/VMware-Fusion-11.5.2-Privilege-Escalation.html
- http://packetstormsecurity.com/files/157079/VMware-Fusion-USB-Arbitrator-Setuid-Privilege-Escalation.html
- https://www.vmware.com/security/advisories/VMSA-2020-0005.html
- http://packetstormsecurity.com/files/156843/VMware-Fusion-11.5.2-Privilege-Escalation.html
- http://packetstormsecurity.com/files/157079/VMware-Fusion-USB-Arbitrator-Setuid-Privilege-Escalation.html
- https://www.vmware.com/security/advisories/VMSA-2020-0005.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3950
