VMWare Tools Vulnerability Allows Administrative Access

Overview of VMWare Vulnerability CVE-2020-3957

This threat report is about a VMware local privilege escalation vulnerability referred to as CVE-2020-3957. The exploitation of this VMWare tools vulnerability could allow an attacker to gain administrative-level privileges on a system. Patches are available to remediate this VMWare security vulnerability in the affected products.

VMWare Vulnerability CVE-2020-3957 Tactics, Techniques, and Procedures

This vulnerability is caused by a Time-of-check Time-of-use (TOCTOU) weakness in the service opener of VMWare Fusion (11.x before 11.5.5), VMware Remote Console for Mac (11.x and prior), and VMware Horizon Client for Mac (5.x and prior).

The purpose of TOCTOU is to check the state of a resource before using it.

This process can be influenced by attackers to change the state of the resource between check and use. This could result in multiple unauthorized changes including alteration of execution logic, modification of application data, files, directories, and memory. This method of using TOCTOU Race Condition is a common weakness referred to as CWE-367.

If a remote attacker successfully gains initial access to a standard user account on a system running one of the affected software versions, they can utilize this vulnerability to gain root privileges on the system.

VMWare has ranked CVE-2020-3957 in the Important Vulnerability severity range since exploitation could result in the complete compromise of the confidentiality and integrity of user data and machine resources.

What CVE-2020-3957 Can Mean to Your Business

• Exploitation could offer a bad actor unauthorized access and control of confidential company assets and resources.
• This may lead to the loss of sensitive financial, device, account, and security information.

What You Can do About This VMWare Tools Vulnerability

• Verify that all company devices and applications are up to date and running at the latest patch level.
• To remediate CVE-2020-3957, refer to the VMware Security Advisory VMSA-2020-001 link below for patch and upgrade resources.

Additional VMWare Security Resources

VMware Security Advisory VMSA-2020-001 (Patch): https://www.vmware.com/security/advisories/VMSA-2020-0011.html

IBM X-Force Exchange: https://exchange.xforce.ibmcloud.com/vulnerabilities/182729

CVE-2020-3957: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3957

CWE-367: (TOCTOU): https://cwe.mitre.org/data/definitions/367.html

MITRE Mapping(s):

• Exploitation for Privilege Escalation: https://attack.mitre.org/techniques/T1068/
• Account Manipulation: https://attack.mitre.org/techniques/T1098/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed security service capabilities. 

Deciding between running an in-house SOC vs. using managed security services to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!