Recently VMWare released a patch for the flaw tracked as CVE-2020-3950 that affected Fusion, Remote Console (VMRC) and Horizon Client for Mac. However, while the vulnerability has been fixed for VMRC and Horizon Client, the patch does not completely fix the vulnerability for the Fusion product. The researchers credited for finding the vulnerability, “Jeffball” from cybersecurity firm GRIMM and Rich Mirch, say that the original proof of concept (PoC) exploit code, which they have publicly released, still works against Fusion 11.5.2. “VMware USB Arbitrator Service and Open VMware Fusion Services are both setuid root binaries located at /Applications/VMware Fusion.app/Contents/Library/services,” Mirch stated in his description of the PoC exploit. “When executed outside of the standard path the binaries can be tricked into executing a program from a path that the attacker controls. This is achieved by creating a hard link to the original binary. The binaries use part of the attacker-controlled path when executing the service and do not correctly validate that the target binary is legit.”
Analyst Notes
VMWare has stated that the next Fusion release will take care of the issue. Until then users are recommended to complete the following steps as found in the VMWare KB78294 article:
1. Update the version of Fusion to 11.5.2.
2. Quit Fusion.
3. Download the FusionOpenUSB_update1.zip file attached to this Knowledge Base article which contains a replacement for the file “Open VMware USB Arbitrator Service”, unzip it.
4. Copy the original “Open VMware USB Arbitrator Service” to another name in “Documents” folder for backup purposes:
sudo cp -f “/Contents/Library/services/Open VMware USB Arbitrator Service” “~/Documents/Open VMware USB Arbitrator Service backup”
5. Copy the downloaded version of “Open VMware USB Arbitrator Service” over the original file:
cd //FusionOpenUSB
sudo cp -f “./Open VMware USB Arbitrator Service” “/Contents/Library/services/Open VMware USB Arbitrator Service”
6. Start Fusion.
For more information please visit: https://www.securityweek.com/recent-patch-vmware-fusion-vulnerability-incomplete
