Security Advisory 2024-091

History:

• 04/09/2024 --- v1.0 -- Initial publication

Summary

On September 3, 2024, Broadcom disclosed a high-severity vulnerability in VMware Fusion, which could allow attackers to execute arbitrary code on macOS systems [1].

Technical Details

The vulnerability CVE-2024-38811, with a CVSS score of 8.8, arises from improper handling of environment variables, allowing malicious actors with standard user privileges to execute arbitrary code within the VMware Fusion environment. This may lead to full-system compromise, potentially exposing sensitive data and disrupting operations.

Affected Products

• VMware Fusion versions prior to 13.6, running on macOS.

Recommendations

CERT-EU recommends to immediately update VMware Fusion to a fixed version.

References

[1] https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24939