VMware has released VMware Tools 11.0.0 that addresses a local privilege escalation issue in Tools 10.x.y tracked as CVE-2020-3941. The issue, classified as a race condition flaw that could be exploited by an attacker to access the guest virtual machine to escalate privileges.
“A malicious actor on the guest VM might exploit the race condition and escalate their privileges on a Windows VM. This issue affects VMware Tools for Windows version 10.x.y as the affected functionality is not present in VMware Tools 11.” reads the advisory published by the company.
The vulnerability has been assigned an important severity rating and a CVSS score of 7.8. The company also suggests a workaround in case users cannot upgrade their version.
“However, if upgrading is not possible, exploitation of this issue can be prevented by correcting the ACLs on C:\ProgramData\VMware\VMware CAF directory in the Windows guests running VMware Tools 10.x.y versions. In order to correct ACLs for this directory, remove all write access permissions for Standard User from the directory,” reads Workaround for VMware Tools for Windows security vulnerability (CVE-2020-3941) (76654).
Recently the virtualization giant also disclosed an information disclosure issue, tracked as CVE-2020-3940, that affects Workspace ONE SDK and dependent iOS and Android mobile applications.
Vulnerable applications do not properly handle certificate verification failures if SSL pinning is enabled in the UEM Console.
“A sensitive information disclosure vulnerability in the VMware Workspace ONE SDK was privately reported to VMware.” states the security advisory.
“A malicious actor with man-in-the-middle (MITM) network positioning between an affected mobile application and Workspace ONE UEM Device Services may be able to capture sensitive data in transit if SSL Pinning is enabled.”
The vulnerability has been assigned an important severity rating and a CVSS score of 6.8.
The list of vulnerable applications and SDKs include Workspace ONE Boxer, Content, Intelligent Hub, Notebook, People, PIV-D, Web, and the SDK plugins for Apache Cordova and Xamarin.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – VM, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…
Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…
Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…
Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…
Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…
The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…
This website uses cookies.