“VMware Workstation and Player contain a vulnerability in the handling of the vmware-mount command. A local malicious user may exploit this vulnerability to escalate their privileges to root on the host OS,” reads an advisory published by the company on Thursday.
VMware Workstation 9.x, VMware Workstation 8.x, VMware Player 5.x, and VMware Player 4.x are impacted, but only if they’re installed on a Debian-based version of Linux.
To address the issue, users are advised to remove the setuid bit from vmware-mount: # chmod u-s /usr/bin/vmware-mount – a workaround that can be implemented in both Player and Workstation.
The vulnerability has been identified by Tavis Ormandy from the Google Security Team.