Summary:
VMware Fusion contains a local privilege escalation vulnerability that allows an attacker to inject a malicious path into the system-wide PATH environment variable.
Versions Tested:
VMware Fusion Professional v15.5.5
Product:
https://www.vmware.com/products/fusion.html
Security Advisories:
https://www.vmware.com/security/advisories/VMSA-2020-0020.html
CVE Number:
CVE-2020-3980
CVSS Score:
6.7
CWE:
CWE-269: Improper Privilege Management
Vulnerability Details
During a startup, VMware Fusion updates the “Public” path in /etc/paths.d/com.vmware.fusion.public using a leading path determined at runtime. A user with standard permissions can make a copy of the application, execute it from an untrusted location, and the value defined in com.vmware.fusion.public will be updated to this location. All interactive sessions, including the root user, will then have the untrusted location set in the system PATH environment variable. A trojan horse binary could be added that would be executed if it were not found in the standard directories. It is also possible to embed code into the path, which will be executed upon login by any user on the system.
The exploit is a two-stage process. The first stage creates an entire copy of the VMware Fusion application using hard links to save space.