A low-privileged local attacker can prevent the VMware Guest Authentication service (VGAuthService.exe) from running in a guest Windows environment and can crash this service, thus rendering the guest unstable. In some very contrived circumstances, the attacker can leak file content to which they do not have read access. We believe this would be scored as CVSSv3 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H or 6.1 and is an instance of CWE-73: External Control of File Name or Path.
Product description
The VMware Guest Authentication Service (VGAuthService.exe) is part of the VMware Tools suite of software used to provide integration services with other VMware services. It is commonly installed on Windows guest operating systems, though it appears that its only function is to mystify users when it fails.
Credit
This issue was discovered by Jake Baines of Rapid7. It is being disclosed in accordance with Rapid7's vulnerability disclosure policy.
Exploitation
The versions of VMware host and guest operating systems are:
Host platform: MacOS Big Sur 11.6.1Host software: VMware Fusion Professional 12.2.1 (18811640)Virtualized platform: Windows 10.0.17763.1999 and Windows Server 2019Vulnerable software: VGAuthService.exe (VMware Guest Authentication Service) “File version: 11.3.5.59284”, “Product version 1.0.0. Build-18556986”Once running, the VMware Guest Authentication Service (VGAuthService.exe) is a service running with NT AUTHORITY/SYSTEM permissions and attempts to read files from the non-existent directory C:Program%20FilesVMwareVMware%20Tools during start-up.
A low-privileged user can create this directory structure and cause VGAuthService.exe to read attacker controlled files. The files th ..
Support the originator by clicking the read the rest link below.
){kind=link}