VMware has released VMware Tools 11.0.0 that addresses a local privilege escalation issue in Tools 10.x.y tracked as CVE-2020-3941. The issue, classified as a race condition flaw that could be exploited by an attacker to access the guest virtual machine to escalate privileges.
“A malicious actor on the guest VM might exploit the race condition and escalate their privileges on a Windows VM. This issue affects VMware Tools for Windows version 10.x.y as the affected functionality is not present in VMware Tools 11.” reads the advisory published by the company.
The vulnerability has been assigned an important severity rating and a CVSS score of 7.8. The company also suggests a workaround in case users cannot upgrade their version.
“However, if upgrading is not possible, exploitation of this issue can be prevented by correcting the ACLs on C:\ProgramData\VMware\VMware CAF directory in the Windows guests running VMware Tools 10.x.y versions. In order to correct ACLs
Recently the virtualization giant also disclosed an information disclosure issue, tracked as CVE-2020-3940, that affects Workspace ONE SDK and dependent iOS and Android mobile applications.
Vulnerable applications do not properly handle
“A sensitive information disclosure vulnerability in the VMware Workspace ONE SDK was privately reported to VMware.” states the security advisory.
“A malicious actor with man-in-the-middle (MITM) network positioning between an affected mobile application and Workspace ONE UEM Device Services may be able to capture sensitive data in transit if SSL Pinning is enabled.”
The vulnerability has been assigned an important severity rating and a CVSS score of 6.8.
The list of vulnerable applications and SDKs include Workspace ONE Boxer, Content, Intelligent Hub, Notebook, People, PIV-D, Web, and the SDK plugins for Apache Cordova and Xamarin.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.