VMware Fusion: Update closes privilege escalation gap

Broadcom warns of a security vulnerability in VMware Fusion, the hypervisor software for macOS. “The VMware Fusion update addresses a code execution vulnerability,” explains the new owner of the software.

Advertisement

However, the VMware developers do not go into the details in their security notice. “VMware Fusion contains a code execution vulnerability due to the use of an unsafe environment variable,” the authors describe the problem. The security vulnerability has been given the CVE number CVE-2024-38811 and, with a CVSS score of 8.8 a height risk.

Possible attack vector

The programmers further explain that malicious actors with standard user rights could abuse the security vulnerability to run code in the context of the Fusion application. Broadcom does not suggest any temporary countermeasures; only an update of the software will help prevent abuse of the vulnerability. Broadcom also does not explain how a successful attack can be recognized so that those affected can react appropriately.

The security vulnerability affects VMware Fusion in versions 13.x. VMware Fusion 13.6 fixes the vulnerability. The new version is available for download after registering on the Broadcom download page.

Since the vulnerability just barely misses the risk of being “critical,” IT managers should bring the VMware Fusion installations in their areas up to date. VMware vulnerabilities are often the focus of cyber criminals.

At the end of July, ransomware attacks on VMware ESXi servers were reported. The attacks, which were investigated by Microsoft’s IT researchers, were based on a security vulnerability that allowed attackers to bypass authentication in the Active Directory integration and thus abuse it (CVE-2024-37085, CVSS 6.8Risk “medium“). The version VMware ESXi 8.0 U3 has closed the security hole, but Broadcom has not updated older versions.

(dmk)