Vagrant VMware Plugins - Recommended Upgrade

[Chris Roberts]

Hi everyone,

The new Vagrant VMware Desktop plugin has been released today. This plugin resolves a number of security vulnerabilities present in the Vagrant VMware Fusion and Vagrant VMware Workstation plugins. Updating to the new plugin is highly recommended. The Vagrant VMware Desktop plugin supports licenses used for the Vagrant VMware Workstation and Vagrant VMware Fusion plugins, so existing users can update without needing to modify their existing licenses.

The Vagrant VMware Desktop plugin includes fixes for a root privilege escalation vulnerability which could be used by a malicious Vagrantfile or previously installed malware. The issues were first reported to HashiCorp in late 2017 and led to the full restructuring and unification of the plugin. The unified plugin now includes an isolated process which handles all privileged operations and is installed via system installers to ensure the safety of the installation process. This extraction of privileged operations from the Vagrant plugin also removes the requirement for users to be able to escalate their privileges to install or use the plugin.

I want to extend my thanks to the researcher who discovered and reported the vulnerabilities, and allowed us time to release an update before disclosing them. My apologies for how long the release has taken.

For installation instructions, please refer to the VMware provider documentation page:

  https://www.vagrantup.com/docs/vmware/installation.html

If you have any problems updating to the new Vagrant VMware Desktop plugin, please send an email to sup...@hashicorp.com.

Cheers!

- Chris Roberts