Naked Security Naked Security

VMware patches virtualisation bugs

Virtualisation company VMware patched two bugs this week that affected a large proportion of its client-side virtual machines.

Virtualisation company VMware patched two bugs this week that affected a large proportion of its client-side virtual machines (VMs).
VMware made its name offering server virtualisation products that recreate server hardware in software, allowing admins to run many virtual servers on the same physical box at once. Most ‘type one’ server hypervisors, including VMware’s, run directly on the bare metal instead of an installed operating system.
The company also has another strand to its business, though: ‘type two’ hypervisors that enable people to run guest operating systems in virtual machines (VMs) on their client devices, too. These let you run Windows or Linux on a Mac, for example. They work differently, running on top of the client operating system as applications, meaning that you don’t have to replace your core operating system to run VMs.
Finally, its desktop virtualisation system, called Horizon, puts the whole desktop environment on a server so that users can access it from anywhere.
Between them, these bugs affect all of these services in some way. CVE-2020-3950, which VMware gives as a CVSS v3 store of 7.3, affects version 11 of Fusion, its type 2 hypervisor for Macs. It’s a privilege elevation vulnerability stemming from the improper use of setuid binaries (setuid is a *nix tool that lets users run certain programs with elevated privileges). It also affects two other programs for the Mac: Versions 5 and prior of the Horizon client that lets Mac users log into virtual Horizon desktops, and version 11 and prior of the Virtual Machine Remote Console that lets Mac users access remote virtual machines.

CVE-2020-3951 is less dire, getting a CVSS v3 score of 3.2 and a low severity ranking (that comes from VMware, as the National Vulnerability Database entry hadn’t been updated at press time). It’s a denial of service vulnerability in Cortado ThinPrint, a third-party software tool that VMware integrates natively into virtual machines to give them printing functionality.
This bug affects version 15 of the VMware Workstation type 2 hypervisor for Windows, along with version 5 and prior of the Windows Horizon client. It’s a heap overflow problem that allows a non-administrative VM user to “create a denial-of-service condition of the ThinPrint service”.

Last week’s bugs

This is the second advisory in five days for VMware, which announced three other bugs on 12 March. These included a critical flaw, CVE-2020-3947, which affected Workstation on all platforms and the Fusion Mac software. This use-after-free flaw could enable code execution on the host computer from the guest OS, it said.
The other two bugs were ranked important. There was a privilege elevation in the Horizon, VMRC, and Workstation clients on Windows, ranked important (CVE-2019-5543, CVSS v3 7.3), which allowed a local system user to run commands as any user. Another bug in ThinPrint, ranked important (CVE-2020-3948, CVSS v3 7.8) also allowed a privilege elevation that could give non-administrative users root access on Linux VMs.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Leave a Reply

Your email address will not be published. Required fields are marked *