Now on Demand: CISO Forum Virtual Summit - All Sessions Available to Watch Instantly
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerabilities Found in VMware Tools, Workspace ONE SDK

VMware on Tuesday advised customers using VMware Tools version 10 for Windows to update their installations to version 11 due to a local privilege escalation vulnerability.

VMware on Tuesday advised customers using VMware Tools version 10 for Windows to update their installations to version 11 due to a local privilege escalation vulnerability.

According to the virtualization giant, the repair operation in VMware Tools 10.x.y is affected by a race condition that allows an attacker who has access to the guest virtual machine to escalate their privileges.

The company says VMware Tools 11.0.0 is not affected as the problematic functionality does not exist in this version.

The vulnerability, tracked as CVE-2020-3941, has been assigned an important severity rating and a CVSS score of 7.8.

“However, if upgrading is not possible, exploitation of this issue can be prevented by correcting the ACLs on C:ProgramDataVMwareVMware CAF directory in the Windows guests running VMware Tools 10.x.y versions. In order to correct ACLs for this directory, remove all write access permissions for Standard User from the directory,” VMware said in a separate document describing workarounds for this flaw.

A few days ago, VMware also informed customers that the Workspace ONE SDK and dependent iOS and Android mobile applications are affected by a vulnerability that can lead to the disclosure of sensitive information.

The company says the affected applications do not properly handle certificate verification failures if SSL pinning is enabled in the UEM Console.

“A malicious actor with man-in-the-middle (MITM) network positioning between an affected mobile application and Workspace ONE UEM Device Services may be able to capture sensitive data in transit if SSL Pinning is enabled,” VMware said.

Advertisement. Scroll to continue reading.

The vulnerability is tracked as CVE-2020-3940 and it has been assigned a moderate severity rating with a CVSS score of 6.8.

Affected applications and SDKs include Workspace ONE Boxer, Content, Intelligent Hub, Notebook, People, PIV-D, Web, and the SDK plugins for Apache Cordova and Xamarin. Patches have been released for each of them.

Related: VMware Patches ESXi Vulnerability That Earned Hacker $200,000

Related: VMware Patches Six Vulnerabilities in Various Products

Related: VMware Unveils New Security Features, Enhancements for NSX, SD-WAN, Secure State

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.