VMware on Tuesday pushed out a security update for its Fusion hypervisor to address a high-severity vulnerability that exposes uses to code execution exploits.
The root cause of the issue, tracked as CVE-2024-38811 (CVSS 8.8/10), is an insecure environment variable, VMware notes in an advisory. “VMware Fusion contains a code execution vulnerability due to the usage of an insecure environment variable. VMware has evaluated the severity of this issue to be in the ‘Important’ severity range.”
According to VMware, the CVE-2024-38811 defect could be exploited to execute code in the context of Fusion, which could potentially lead to complete system compromise.
“A malicious actor with standard user privileges may exploit this vulnerability to execute code in the context of the Fusion application,” VMware says.
The company has credited Mykola Grymalyuk of RIPEDA Consulting for identifying and reporting the bug.
The vulnerability impacts VMware Fusion versions 13.x and was addressed in version 13.6 of the application.
There are no workarounds available for the vulnerability and users are advised to update their Fusion instances as soon as possible, although VMware makes no mention of the bug being exploited in the wild.
The latest VMware Fusion release also rolls out with an update to OpenSSL version 3.0.14, which was released in June with patches for three vulnerabilities that could lead to denial-of-service conditions or could cause the affected application to become very slow.
