VMware Fusion TOCTOU local privilege escalation vulnerability
CVE-2023-34046

7HIGH

Key Information:

Vendor: VMware
Status: Fusion
Vendor: CVE Published:; 20 October 2023

Summary

VMware Fusion prior to version 13.5 contains a TOCTOU vulnerability that can be exploited during the installation process. An attacker with local non-administrative privileges could exploit this flaw to gain elevated privileges, allowing them to execute commands with root-level access on macOS systems where VMware Fusion is installed or being installed. This vulnerability highlights the significance of secure installation practices and the importance of monitoring access levels during application deployment.

Affected Version(s)

Fusion MacOS 13.x < 13.5

References

https://www.vmware.com/security/advisories/VMSA-2023-0022...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 20, 2023
Vulnerability Reserved
May 25, 2023