VMware Security Announcement VMSA-2021-0013 CVSSv3 Score 7.8 Important

Today VMware released a new security advisory VMSA-2021-0013. This Advisory is for VMware Tools, VMRC and VMware App Volumes, the update addresses a local privilege escalation vulnerability (CVE-2021-21999)

Impacted Products
  • VMware Tools for Windows
  • VMware Remote Console for Windows (VMRC for Windows)
  • VMware App Volumes
Introduction

A local privilege escalation vulnerability in VMware Tools for Windows, VMRC for Windows and VMware App Volumes was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

VMware Tools, VMRC and VMware App Volumes update addresses a local privilege escalation vulnerability (CVE-2021-21999)

Description

VMware Tools for Windows, VMRC for Windows and VMware App Volumes contain a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

Known Attack Vectors

An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as `openssl.cnf' in an unrestricted directory which would allow code to be executed with elevated privileges.

Resolution

For VMware Tools for Windows 11.x and prior, apply fixed version 11.2.6. Download links to follow.

For VMRC for Windows 12.x, apply fixed version 12.0.1. Download links to follow.

For App Volumes 4, apply fixed version 2103. Download links to follow.

For App Volumes 2.x, apply fixed version 2.18.10. Download links to follow.

Fixed Version(s) and Release Notes:

VMware Tools for Windows 11.2.6

Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/info/slug/datacenter_cloud_infrastructure/vmware_tools/11_x
https://docs.vmware.com/en/VMware-Tools/11.2/rn/VMware-Tools-1126-Release-Notes.html


VMware Remote Console for Windows 12.0.1

Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VMRC1201&productId=974
https://docs.vmware.com/en/VMware-Remote-Console/12.0/rn/VMware-Remote-Console-1201-Release-Notes.html

VMware App Volumes 4 2103

Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=AV-440-ADV&productId=961&rPId=65809
https://docs.vmware.com/en/VMware-App-Volumes/2103/rn/VMware-App-Volumes-4-version-2103.html

VMware App Volumes 2.18.10

Downloads and Documentation:

https://my.vmware.com/web/vmware/downloads/details?downloadGroup=AV-21810&productId=534&rPId=63696
https://docs.vmware.com/en/VMware-App-Volumes/2.18.10/rn/VMware-App-Volumes-21810-Release-Notes.html