VMware Fixes Privilege Escalation Vulnerabilities in VMware Tools

Written by

Virtualization technology software firm VMware released patches to fix a severe security flaw in its VMware Tools suite of utilities.

The company made the announcement in an advisory on Tuesday August 23, saying the vulnerability (tracked CVE-2022-31676) could be exploited by threat actors with local non-administrative access to the Guest OS and used to escalate privileges as a root user in the virtual machine (VM).

The flaw, which reportedly impacted the software on both Windows and Linux systems, is a characteristic example of inherent risks connected with virtualization security, particularly in relation to TAs trying to escape a VM to infect the host machine upon which it is based.

“VMware Tools was impacted by a local privilege escalation vulnerability,” the advisory reads. “Updates are available to remediate this vulnerability in affected VMware products.”

The company evaluated the severity of this issue to be in the Important severity range with a maximum Common Vulnerability Scoring System (CVSS) base score of 7.0.

VMware Tools is a suite of software tools used to improve the performance of the VM's guest operating system as well as the resource management of the virtual machine itself. 

CVE-2022-31676 was patched by VMware in version 12.1.0 for Windows and 10.3.25 for Linux machines.

In its advisory, the company also included a link to its External Vulnerability Response and Remediation Policy webpage, designed to allow users and researchers to report additional vulnerabilities, as well as see VMware’s latest security advisories.

The patches for Tools come months after the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to all federal agencies to mitigate two new VMware vulnerabilities. Both of them were subsequently patched by the company.

More recently, CISA’s director Jen Easterly spoke at the DEFCON 30 security conference in Las Vegas, USA, about the ongoing cooperation between the Agency and the U.S. Congress.

What’s hot on Infosecurity Magazine?