Instructions to remediate VMware Fusion setuid security vulnerability (CVE-2020-3950)
Article ID: 324679
Updated On:
Products
VMware Desktop Hypervisor
Issue/Introduction
Symptoms:
This article contains instructions to address CVE-2020-3950 in VMware Fusion. This vulnerability and its impact on VMware products are documented in VMSA-2020-0005 . Please review this advisory before continuing as there may be considerations outside the scope of this document.
The VMware Fusion team has investigated CVE-2020-3950 and determined that the possibility of exploitation can be removed by performing the steps detailed in the ‘Resolution’ section of this article.
VMware Fusion Functionality Impact
None.
This article contains instructions to address CVE-2020-3950 in VMware Fusion. This vulnerability and its impact on VMware products are documented in VMSA-2020-0005 . Please review this advisory before continuing as there may be considerations outside the scope of this document.
The VMware Fusion team has investigated CVE-2020-3950 and determined that the possibility of exploitation can be removed by performing the steps detailed in the ‘Resolution’ section of this article.
VMware Fusion Functionality Impact
None.
Resolution
Steps to follow as root user on the system to remediate CVE-2020-3950 in VMware Fusion:
- Update the version of Fusion to 11.5.2.
- Quit Fusion.
- Download the FusionOpenUSB_update1.zip file attached to this Knowledge Base article which contains a replacement for the file "Open VMware USB Arbitrator Service", unzip it.
- Copy the original "Open VMware USB Arbitrator Service" to another name in "Documents" folder for backup purposes:
sudo cp -f "<Fusion installed directory>/Contents/Library/services/Open VMware USB Arbitrator Service" "~/Documents/Open VMware USB Arbitrator Service backup"
- Copy the downloaded version of "Open VMware USB Arbitrator Service" over the original file:
cd /<path to unzipped FusionOpenUSB_update1>/FusionOpenUSB
sudo cp -f "./Open VMware USB Arbitrator Service" "<Fusion installed directory>/Contents/Library/services/Open VMware USB Arbitrator Service"
sudo cp -f "./Open VMware USB Arbitrator Service" "<Fusion installed directory>/Contents/Library/services/Open VMware USB Arbitrator Service"
- Start Fusion.
Step to follow to remove (“undo”) the remediation of CVE-2020-3950 in VMware Fusion:
- Quit Fusion.
- Rename the backup file "Open VMware USB Arbitrator Service backup" to its original name:
sudo cp -f "~/Documents/Open VMware USB Arbitrator Service backup" "<Fusion installed directory>/Contents/Library/services/Open VMware USB Arbitrator Service"
- Start Fusion.
NOTE: <Fusion installed directory> is the directory where VMware Fusion is installed. In MacOS VMware Fusion installation directory is by default "/Applications/VMware Fusion.app", in case of any custom directory use that custom directory path.
Checksum of the file: fixFusionOpenUSB_update1.zip
SHA1SUM: 65b9a30edd6cc1258fa8fdb3a410ae6d9098635d
SHA256SUM: f0c0c8d9b4af735ff8757b8eaf7592a40cdb62eec15e77c0ebe24840c40f6b5f
Checksum of the file: Open VMware USB Arbitrator Service
MD5SUM: da9fb0dcb2cf6ffbe66376b06621a0bf
SHA1SUM: 38c9638260fe2fbe679422ef421b66698bde8baf
SHA256SUM: 27eb61772f907e9fdd340218b983287be437b34af88fcfaf8f1801490ca7109c
Attachments
Feedback
Yes
No
Powered by
