VMSA-2024-0018:VMware Fusion update addresses a code execution vulnerability (CVE-2024-38811)
24939
03 September 2024
03 September 2024
OPEN
HIGH
8.8
CVE-2024-38811
| Advisory ID: | VMSA-2024-0018 |
| Advisory Severity: | Important |
| CVSSv3 Range: | 8.8 |
| Synopsis: | VMware Fusion update addresses a code-execution vulnerability (CVE-2024-38811) |
| Issue date: | 2024-09-03 |
| Updated on: | 2024-09-03 (Initial Advisory) |
| CVE(s) | CVE-2024-38811 |
1. Impacted Products
-
VMware Fusion
2. Introduction
A code-execution vulnerability in VMware Fusion was responsibly reported to VMware. Updates are available to remediate this vulnerability in the affected VMware product.
3. VMware Fusion code-execution vulnerability (CVE-2024-38811)
Description:
VMware Fusion contains a code-execution vulnerability due to the usage of an insecure environment variable. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.
Known Attack Vectors:
A malicious actor with standard user privileges may exploit this vulnerability to execute code in the context of the Fusion application.
Resolution:
To remediate CVE-2024-38811 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None
Additional Documentation:
None
Acknowledgments:
VMware would like to thank Mykola Grymalyuk of RIPEDA Consulting for reporting this issue to us.
Notes:
None
Response Matrix:
|
VMware Product |
Version |
Running On |
CVE |
CVSSv3 |
Severity |
Fixed Version |
Workarounds |
Additional Documentation |
|---|---|---|---|---|---|---|---|---|
| VMware Fusion | 13.x | MacOS | CVE-2024-38811 | 8.8 | Important | 13.6 |
|
None |
4. References:
Fixed Version(s) and Release Notes:
VMware Fusion 13.6
Downloads and Documentation
https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware%20Fusion
https://docs.vmware.com/en/VMware-Fusion/13.6/rn/vmware-fusion-136-release-notes/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38811
FIRST CVSSv3 Calculator:
CVE-2024-38811: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
5. Change Log:
2024-09-03 VMSA-2024-0018
Initial security advisory.
6. Contact:
E-mail: [email protected]
PGP key
https://knowledge.broadcom.com/external/article/321551
VMware Security Advisories
https://www.broadcom.com/support/vmware-security-advisories
VMware External Vulnerability Response and Remediation Policy
https://www.broadcom.com/support/vmware-services/security-response
VMware Lifecycle Support Phases
https://support.broadcom.com/group/ecx/productlifecycle
VMware Security Blog
https://blogs.vmware.com/security
X
https://x.com/VMwareSRC
Copyright 2024 Broadcom. All rights reserved.