CVE-2020-3950
Published: 17 March 2020
Summary
CVE-2020-3950 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Vmware Fusion. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 5.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2020-3950 is a local privilege escalation vulnerability affecting VMware Fusion versions 11.x prior to 11.5.2, VMware Remote Console for Mac versions 11.x and earlier prior to 11.0.1, and Horizon Client for Mac versions 5.x and earlier prior to 5.4.0. The flaw stems from improper use of setuid binaries and is assigned CWE-269 with a CVSS v3.1 base score of 7.8.
A local attacker with normal user privileges on a Mac system running any of the affected products can exploit the issue to escalate privileges to root. No user interaction or additional privileges beyond standard local access are required for successful exploitation.
The referenced VMware advisory VMSA-2020-0005 addresses the vulnerability and directs users to apply the fixed versions listed for each product. Public exploit code demonstrating the issue has been posted to PacketStorm Security.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-25215
Vulnerability details
VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) contain a privilege escalation vulnerability due to improper use of setuid binaries. Successful exploitation of…
more
this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC or Horizon Client is installed.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters the improper setuid privilege escalation by enforcing that processes and users operate with only the minimum privileges required.
Enforces access control policies at the OS level so that setuid binaries cannot be abused to obtain unauthorized root access.
Requires timely application of vendor patches that correct the flawed setuid binary handling in the affected VMware products.