VMware Fusion: Update fixes rights escalation loophole

Broadcom warns of a security vulnerability in VMware Fusion, the hypervisor software for macOS. "The VMware Fusion update addresses a code execution vulnerability," explains the new owner of the software.

However, the VMware developers do not go into great detail in their security announcement. "VMware Fusion contains a code execution vulnerability due to the use of an insecure environment variable," is how the authors describe the problem. The vulnerability has been assigned the CVE number CVE-2024-38811 and represents a high risk with a CVSS score of 8.8.

Possible attack vector

The programmers further explain that malicious actors with standard user rights could abuse the vulnerability to run code in the context of the Fusion application. Broadcom does not propose any temporary countermeasures, only an update of the software would help against the abuse of the vulnerability. Broadcom also leaves open how a successful attack can be recognized so that those affected can react appropriately.

The vulnerability affects VMware Fusion 13.x versions. VMware Fusion 13.6 fixes the vulnerability. The new version is available for download on Broadcom's download page after registration.

As the vulnerability only just misses the "critical" risk level, IT managers should update the VMware Fusion installations in their departments. VMware vulnerabilities are often the focus of cybercriminals.

At the end of July, ransomware attacks on VMware ESXi servers became known. The attacks investigated by Microsoft's IT researchers were against a vulnerability that allowed attackers to bypass authentication in the Active Directory integration and thus abuse it (CVE-2024-37085, CVSS 6.8, risk"medium"). The VMware ESXi 8.0 U3 version has closed the security leak; Broadcom has not provided an update for older versions.

(dmk)